The security of practical quantum key distributionquic.ulb.ac.be/_media/publications/2009-RMP-81-001301.pdf · quantum channel, allowing them to share quantum sig-nals, and a classical

The security of practical quantum key distribution

Valerio ScaraniCentre for Quantum Technologies and Department of Physics, National Universityof Singapore, 3 Science Drive 2, Singapore 117543, Singaporeand Group of Applied Physics, University of Geneva, 20 rue de l’Ecole de Médicine, 1211Geneva, Switzerland

Helle Bechmann-PasquinucciUniversity of Pavia, Dipartimento di Fisica “A. Volta,” via Bassi 6, I-27100 Pavia, Italyand UCCI.IT, via Olma 26, I-23888, Rovagnate (LC), Italy

Nicolas J. CerfQuantum Information and Communication, Ecole Polytechnique, Université Librede Bruxelles, Avenue F. D. Roosevelt 50, B-1050 Brussels, Belgium

Miloslav Du!ekDepartment of Optics, Faculty of Science, Palack! University, 17. Iistopadu 12, 772 00,Olomouc, Czech Republic

Norbert LütkenhausInstitute for Quantum Computing and Department for Physics and Astronomy,University of Waterloo, 200 University Avenue W., Waterloo, ON N2L 3G1, Canadaand Max Planck Research Group, Institute for Optics, Information and Photonics,University of Erlangen-Nuremberg, Staudtstrasse 7/B2, 91058 Erlangen, Germany

Momtchil PeevQuantum Technologies, Smart Systems Division, Austrian Research Centers GmbH ARC,Donau-City, Strasse 1, 1220 Vienna, Austria

!Published 29 September 2009"

Quantum key distribution !QKD" is the first quantum information task to reach the level of maturetechnology, already fit for commercialization. It aims at the creation of a secret key betweenauthorized partners connected by a quantum channel and a classical authenticated channel. Thesecurity of the key can in principle be guaranteed without putting any restriction on an eavesdropper’spower. This article provides a concise up-to-date review of QKD, biased toward the practical side.Essential theoretical tools that have been developed to assess the security of the main experimentalplatforms are presented !discrete-variable, continuous-variable, and distributed-phase-referenceprotocols".

DOI: 10.1103/RevModPhys.81.1301 PACS number!s": 03.67.Dd

CONTENTS

I. Introduction 1302A. Cryptography 1302B. Basics of quantum key distribution 1303

1. Generic setting 13032. The origin of security 13043. The choice of light 13044. The BB84 protocol 13045. An example of eavesdropping 13056. Beyond the example: The field of QKD 1305

C. Scope of this review 13061. Focus 13062. Outline 1306

II. Elements of Practical QKD 1306A. Milestones 1306

1. Foundations: 1984–1995 1306

2. The theory-experiment gap opens:1993–2000 1307

3. Closing the gap: 2000 to the present 1307B. Generic QKD protocol 1308

1. Classical and quantum channels 13082. Quantum information processing 13083. Classical information processing 13094. Secret fraction and secret key rate 1309

C. Notions of security 13091. Unconditional security and its conditions 13092. Definition of security 13103. Security proofs 1310

D. Explicit protocols 13111. Three families 13112. Discrete-variable protocols 1311

a. BB84-BBM 1311b. SARG04 1312

REVIEWS OF MODERN PHYSICS, VOLUME 81, JULY–SEPTEMBER 2009

0034-6861/2009/81!3"/1301!50" ©2009 The American Physical Society1301

http://dx.doi.org/10.1103/RevModPhys.81.1301

c. Other discrete-variable protocols 13123. Continuous-variable protocols 1312

a. Gaussian protocols 1313b. Discrete-modulation protocols 1314

4. Distributed-phase-reference protocols 1314E. Sources 1315

1. Lasers 13152. Sub-Poissonian sources 13153. Sources of entangled photons 1316

F. Physical channels 13161. Fiber links 13172. Free-space links 1317

G. Detectors 13171. Photon counters 13172. Homodyne detection 1318

H. Synchronization and alignment 13191. Generalities 13192. Phase coding: Two configurations 1319

III. Secret Key Rate 1320A. Raw key rate 1320B. Secret fraction 1321

1. Classical information postprocessing 1321a. One-way postprocessing 1321b. Remarks on practical EC 1322c. Other forms of postprocessing 1322

2. Individual, collective, and coherent attacks 1322a. Individual !or incoherent" attacks 1322b. Collective attacks 1323c. General !or coherent" attacks 1323

3. Quantum side channels and zero-errorattacks 1324

4. Hacking attacks on practical QKD 13245. A crutch: The uncalibrated-device scenario 1325

IV. Discrete-Variable Protocols 1325A. Generic assumptions and tools 1325

1. Photon-number statistics 13252. Qubits and modes 1326

a. Sources: Tagging 1326b. Detectors: Squashing 1326

3. Secret key rate 1326B. BB84 coding: Lower bounds 1327

1. Prepare-and-measure: Generalities 13272. P&M without decoy states 13273. P&M with decoy states 13274. P&M: Analytical estimates 13285. Entanglement based 1329

C. BB84 coding: Upper bounds incorporating thecalibration of the devices 1329

1. Statistical parameters 13302. Upper bounds 1330

D. Bounds for the SARG04 coding 1330V. Continuous-Variable Protocols 1331A. Status of security proofs 1331B. Bounds for Gaussian protocols 1332

1. Generalities 13322. Modeling the noise 13323. Alice-Bob information 13334. Individual attacks 13335. Collective attacks 13336. Collective attacks and postselection 1334

VI. Distributed-Phase-Reference Protocols 1334A. Status of security proofs 1334B. Bounds for DPS and COW 1335

1. Collective beam-splitting attack 13352. More sophisticated attacks 1335

VII. Comparison of Experimental Platforms 1335A. Generalities 1335

1. Model for the source and channel 13362. Choice of the parameters 1337

B. Comparisons based on K 13371. All platforms on a plot 13372. Upper bound incorporating the calibration

of the devices 1338C. Comparison based on the “cost of a linear network” 1338

VIII. Perspectives 1339A. Perspectives within QKD 1339

1. Finite-key analysis 13392. Open issues in unconditional security 13393. Black-box security proofs 13404. Toward longer distances: Satellites and

repeaters 13405. QKD in networks 1340

B. QKD versus other solutions 1340Note added in proof 1342Acknowledgments 1342Appendix A: Unconditional Security Bounds for BB84 andSix-State Single-Qubit Signals 1342Appendix B: Elementary Estimates for Quantum Repeaters 1343

1. Quantum memories 13432. Model of quantum repeater 1343

a. Definition of the model 1343b. Detection rates 1344

References 1345

I. INTRODUCTION

A. Cryptography

Cryptography is a field of applications that providesprivacy, authentication, and confidentiality to users. Animportant subfield is that of secure communication, aim-ing at allowing confidential communication between dif-ferent parties such that no unauthorized party has accessto the content of the messages. This field has a longhistory of successes and failures, as many methods toencode messages emerged throughout the centuries,with the codes always broken some time later.

History need not repeat itself forever, though. In 1917,Vernam invented the so-called one-time pad encryption,which uses a symmetric, random secret key shared be-tween sender and receiver !Vernam, 1926". This schemecannot be broken in principle, provided the parties donot reuse their key. Three decades later, Shannonproved that the Vernam scheme is optimal: there is noencryption method that requires less key !Shannon,1949". This means that the key is being used up in theprocess. To employ this scheme, therefore, the commu-nicating parties must have a secure method to share a

1302 Scarani et al.: The security of practical quantum key …

Rev. Mod. Phys., Vol. 81, No. 3, July–September 2009

key that is as long as the text to be encrypted. Becauseof this limitation, which becomes severe when largeamounts of information have to be securely transmitted,most cryptographic applications nowadays are based onother schemes, whose security cannot be proved in prin-ciple, but is rather based on our experience that someproblems are hard to solve. In other words, theseschemes can be broken, but with a substantial amount ofcomputational power. One can therefore set a securityparameter to a value such that the amount of requiredcomputational power lies beyond the amount deemed tobe available to an adversary; the value can be adjustedin time, along with technological advances.

The picture has changed in the last two decades,thanks to unexpected inputs from quantum physics. Inthe early 1980s, Bennett and Brassard proposed a solu-tion to the key distribution problem based on quantumphysics !Bennett and Brassard, 1984"; this idea, indepen-dently rediscovered by Ekert a few years later !Ekert,1991", was the beginning of quantum key distribution!QKD", which was to become the most promising task ofquantum cryptography.1 Since then, QKD devices havecontinuously increased their key generation rate andhave started approaching maturity, ready for implemen-tation in realistic settings.

In an intriguing independent development, ten yearsafter the advent of QKD, Peter Shor discovered thatlarge numbers can in principle be factorized efficiently ifone can perform coherent manipulations on many quan-tum systems !Shor, 1994, 1997". The factorization oflarge numbers is an example of a mathematical task con-sidered classically hard to solve and for this reason re-lated to a class of cryptographic schemes which are cur-rently widely used. Although quantum computers havenot been realized yet, the mere fact that they could be

built might threaten the security of some cryptographicschemes.2

This review focuses therefore on the cryptographictask of key distribution, and in particular on its realiza-tion using quantum physics. Note that a secret keyserves many useful purposes in cryptography other thanmessage encryption: it can be used, for example, to au-thenticate messages, that is, to prove that a message hasindeed been sent by the claimed sender.

B. Basics of quantum key distribution

Here, we introduce the basic elements of QKD, forthe sake of those readers who are not familiar with thefield. Alternative presentations of this material are avail-able in many sources, ranging from books !Lo, 1998; Ek-ert et al., 2001; Le Bellac, 2006; Scarani, 2006" to otherreview articles !Gisin, Ribordy, Tittel, and Zbinden,2002; Du!ek, Lütkenhaus, and Hendrych, 2006; Lo andZhao, 2008".

1. Generic setting

The generic settings of QKD are shown in Fig. 1. Thetwo authorized partners, those that want to establish asecret key at a distance, are traditionally called Aliceand Bob. They need to be connected by two channels: aquantum channel, allowing them to share quantum sig-nals, and a classical channel, on which they can sendclassical messages forth and back.

The classical channel needs to be authenticated: thismeans that Alice and Bob identify themselves; a thirdperson can listen to the conversation but cannot partici-pate in it. The quantum channel, however, is open to anypossible manipulation from a third person. Specifically,the task of Alice and Bob is to guarantee securityagainst an adversarial eavesdropper, usually called Eve,3

tapping into the quantum channel and listening to theexchanges on the classical channel.

By a guarantee of security we mean that a non secretkey is never used: either the authorized partners cancreate a secret key !a common list of secret bits known

1Quantum cryptography is often identified with QKD, butactually comprises all possible tasks related to secrecy that areimplemented with the help of quantum physics. The first ap-pearance of a link between secrecy and quantum physics wasWiesner’s idea of quantum money, which dates back to theearly 1970s although published a decade later !Wiesner, 1983".To our knowledge, nothing else appeared before the Bennettand Brassard first QKD protocol. In 1999, two new tasks wereinvented and both were given the same name, quantum secretsharing. In one case, the protocol is a multipartite generaliza-tion of key distribution !Hillery, Bu"ek, and Berthiaume, 1999;Karlsson, Koashi, and Imoto, 1999"; in the other case, it refersto the sharing of secret quantum information, i.e., the goal isfor the authorized partners to share quantum information !in-stead of a list of classical random variables" known only tothem !Cleve, Gottesman, and Lo, 1999; Crépeau, Gottesman,and Smith, 2005". Other examples of cryptographic tasks arebit commitment or oblivious transfer; for these tasks, in con-trast to the case of QKD and secret sharing, quantum physicscannot guarantee unconditional security !Lo, 1997; Lo andChau, 1997; Mayers, 1997" and therefore their interest seemslimited—though new paradigms such as “bounded-storagemodels” may change this perception in the future !Damgaardet al., 2005, 2007; Wehner, Schaffner, and Terhal, 2008".

2This issue will be discussed in more detail in Sec. VIII.B.3The name, obtained from assonance with the English term

“eavesdropping,” is well suited for someone whose task is tomess things up.

! "U

C

FIG. 1. !Color online" The setting of QKD: Alice and Bobare connected by a quantum channel, into which Eve can tapwithout any restriction other than the laws of physics; and byan authenticated classical channel, into which Eve can onlylisten to.

1303Scarani et al.: The security of practical quantum key …


only to themselves" or they abort the protocol.4 There-fore, after the transmission of a sequence of symbols,Alice and Bob must estimate how much informationabout their lists of bits has leaked out to Eve. Such anestimate is obviously impossible in classical communica-tion: if someone is tapping into a telephone line, orwhen Eve listens to the exchanges on the classical chan-nel for that matter, the communication goes on unmodi-fied. This is where quantum physics comes into thegame: in a quantum channel, leakage of information isquantitatively related to degradation of the communica-tion. Next we delve a bit deeper into the physical rea-sons for this statement.

2. The origin of security

The origin of the security of QKD can be traced backto some fundamental principles of quantum physics.One can argue, for instance, that any action by whichEve extracts some information out of quantum states isa generalized form of measurement; and a well-knowntenet of quantum physics says that measurement in gen-eral modifies the state of the measured system. Alterna-tively, one may think that Eve’s goal is to have a perfectcopy of the state that Alice sends to Bob; this, however,is forbidden by the no-cloning theorem !Wootters andZurek, 1982", which states that one cannot duplicate anunknown quantum state while keeping the original in-tact. Both these arguments already appeared in theseminal paper of Bennett and Brassard !1984"; they leadto the same formalization. A third physical argumentcan be invoked, which is usually considered rather as afact than as a principle, but a very deep one: quantumcorrelations obtained by separated measurements onmembers of entangled pairs violate Bell’sinequalitiesand cannot therefore have been created by preestab-lished agreement. In other words, the outcomes of themeasurements did not exist before the measurements;but then, in particular, Eve could not know them !Ekert,1991". This argument supposes that QKD is imple-mented with entangled states.

The fact that security can be based on general prin-ciples of physics suggests the possibility of unconditionalsecurity, i.e., the possibility of guaranteeing securitywithout imposing any restriction on the power of theeavesdropper !see Sec. II.C.1". Indeed currently uncon-ditional security has been proved for several QKD pro-tocols.

3. The choice of light

In general, quantum information processing can beimplemented with any system, and indeed there are pro-posals to implement quantum computing with ions, at-oms, light, spins, etc. Abstractly, this is the case also forQKD: one could imagine performing a QKD experi-ment with electrons, ions, and molecules; however, lightis the only practical choice. Indeed, the task of key dis-tribution makes sense only if Alice and Bob are sepa-rated by a macroscopic distance: if they are in the sameroom, they have much easier ways of generating a com-mon secret key.

Now, as is well known, light does not interact easilywith matter; therefore quantum states of light can betransmitted to distant locations basically without deco-herence, in the sense that small perturbation is expectedin the definition of the optical mode. The problem withlight is scattering, i.e., losses: quite often, the photonsjust do not arrive. The way losses affect QKD varieswith the protocol and the implementation; we deal withthese issues later, but it is useful to give here a rapidoverview. First, losses impose bounds on the secret keyrate !which cannot scale with the distance better thanthe transmittivity of the line" and on the achievable dis-tance !where losses are so large that the signal is lost inspurious events, the “dark counts”". Second, losses mayleak information to the eavesdropper, according to thenature of the quantum signal: for coherent pulses this iscertainly the case; for single photons it is not; the casefor entangled beams is more subtle. A third basic differ-ence is determined by the detection scheme. Implemen-tations that use photon counters rely on postselection: ifa photon does not arrive, the detector does not click andthe event is simply discarded.5 On the contrary, imple-mentations that use homodyne detection always give asignal; therefore losses translate as additional noise.

In summary, QKD is always implemented with lightand there is no reason to believe that things will changein the future. As a consequence, the quantum channel isany medium that propagates light with reasonablelosses: typically, either an optical fiber or just free spaceprovided Alice and Bob have a line of sight.

4. The BB84 protocol

All the points and concepts introduced above will bedealt with later in this review. We first apply the generic

4No physical principle can prevent an adversary from cuttingthe channels, thus blocking all transfer of information betweenAlice and Bob. Stepping back then, one can imagine the fol-lowing eavesdropping strategy !suggested by A. Beveratos":Eve systematically cuts all QKD channels, until Alice and Bob,who after all want to communicate, opt for less securemethods—and then Eve gets the information. There is obvi-ously some humor in this idea but, given that Eve has no hopeif QKD is used correctly, this strategy may indeed be the mosteffective.

5Note that this is possible because the task is to distribute arandom key. In the early days of development of quantuminformation theory, some considered the possibility of sendingthe message directly via the quantum channel !Beige et al.,2002; Boström and Felbinger, 2002". This task has been called“quantum secure direct communication” and has generatedsome interest. However, it was soon recognized that the ideasuffers from two major defaults with respect to standard QKD:!i" It is obviously not robust against losses: you cannot affordto lose a significant amount of the message. !ii" It allows noanalog of privacy amplification: if an eavesdropper obtains in-formation, it is information on the message itself and of coursecannot be erased.



ideas to a very concrete example: the first QKD proto-col, published by Bennett and Brassard in 1984 andcalled therefore BB84 !Bennett and Brassard, 1984".

Suppose Alice holds a source of single photons. Thespectral properties of the photons are sharply defined sothe only degree of freedom left is polarization. Alice andBob align their polarizers and agree to use either thehorizontal or vertical !!" basis, or the complementarybasis of linear polarizations, i.e., +45/#45 !"". Specifi-cally, the coding of bits is

#H$, codes for 0+,

#V$, codes for 1+,

#+ 45$, codes for 0",

## 45$, codes for 1". !1"

We see that both bit values 0 and 1 are coded in twopossible ways, or more precisely in nonorthogonal statesbecause

# ± 45$ = !1/%2"!#H$ ± #V$" . !2"

Given this coding, the BB84 protocol goes as follows:

!1" Alice prepares a photon in one of the four statesabove and sends it to Bob on the quantum channel.Bob measures it in either the ! or the " basis. Thisstep is repeated N times. Both Alice and Bob nowhave a list of N pairs !bit, basis".!2" Alice and Bob communicate over the classicalchannel and compare the “basis” value of each item,discarding those instances in which they have useddifferent bases. This step is called sifting. At its end,Alice and Bob have a list of approximately N /2 bits,with the promise that for each of them Alice’s cod-ing matched Bob’s measurement. This list is calledthe raw key.

!3" Alice and Bob now reveal a random sample ofthe bits of their raw keys and estimate the error ratein the quantum channel, and thus in turn Eve’s in-formation. In the absence of errors, the raw key isidentical for Alice and Bob and Eve has no informa-tion: in this case, the raw key is already the secretkey. If there are errors, however, Alice and Bobhave to correct them and to erase the informationthat Eve could have obtained.6 Both tasks can beperformed by communication in the classical chan-nel, so this part of the protocol is called classicalpostprocessing. At the end of this processing, Aliceand Bob share either a truly secret key or nothing atall !if Eve’s information was too large".

5. An example of eavesdropping

A particularly simple eavesdropping strategy is theone called intercept resend. To obtain information, Evedoes the same as Bob: she intercepts the photon comingfrom Alice and measures it either in the ! or in the "basis. But Bob is waiting for some signal to arrive. Wethen suppose that Eve resends the same photon to Bob!Eve is limited only by the laws of physics: therefore, inparticular, she can perform a quantum nondemolitionmeasurement". If Eve has measured in the basis of Al-ice’s preparation, the photon is intact: in such instances,Eve has obtained full information on Alice’s bit withoutintroducing any errors. However, when Eve has chosenthe wrong basis, her result is uncorrelated with Alice’sbit; moreover, she has modified the state so that, even ifBob uses the same basis as Alice, half of the time he willget the wrong result.

On average, over long keys, this particular attackgives Eve full information on half of the bits of the rawkey !IE=0.5" at the price of introducing an error rateQ=0.25. Can a secure key be extracted under such con-ditions? One has to know how to quantify the length ofthe final key that can be extracted. For this particularcase, under some assumptions on the classical postpro-cessing, it holds !Csiszár and Körner, 1978", that

r = max&I!A:B" # IE,0' , !3"

where I!A :B"=H!A"+H!B"#H!AB" is the mutual in-formation between Alice’s and Bob’s raw keys !H isShannon entropy". Assuming that both bit values areequally probable, i.e., H!A"=H!B"=1, one has I!A :B"=1#h!Q", where h is the binary entropy. Having theseelements, one can replace the values obtained for theintercept-resend attack and find that I!A :B"#IE: Evehas more information on Alice’s string than Bob: there-fore no secret key can be extracted.7

Another simple exercise consists in supposing thatEve perform the intercept-resend attack only on a frac-tion p of the photons sent by Alice, and leaves the oth-ers untouched. Then obviously Q=p /4 and IE=p /2=2Q; this leads to the conclusion that, if Q$17%, asecure key cannot be extracted from the BB84protocol—at least if the classical postprocessing is doneaccording to the assumptions of Csiszár and Körner!1978".

6. Beyond the example: The field of QKD

The basic example just presented suggests a numberof important questions.

6Historical note: the procedure that erases the informationobtained by the eavesdropper was not discussed by Bennettand Brassard !1984" and first appeared a few years later !Ben-nett, Brassard, and Robert, 1988".

7This conclusion is valid for all protocols: no secret key canbe extracted if the observed statistics are compatible with Eveperforming the intercept-resend attack !Curty, Lewenstein,and Lütkenhaus, 2004". The reason is that this attack “breaks”the quantum channel into two pieces, in which case the corre-lations between Alice and Bob can always be obtained withclassical signals; and no secrecy can be distributed with classi-cal communication.



• The adversary is clearly not restricted to performingthe intercept-resend attack. What is the maximalamount of information Eve can possibly obtain, ifshe is allowed to do anything that is compatible withthe laws of physics? This is a question about the pos-sibility of proving unconditional security.

• The BB84 protocol is just a particular protocol. Whatabout other forms of coding and/or of processing thedata?

• The protocol supposed that the quantum signal is aqubit—explicitly, a bimodal single photon, i.e., an el-ementary excitation of the light field in only twomodes !polarization in the explicit example". Howclose can an implementation come to this? And, af-ter all, should any implementation of QKD actuallyaim at coming close to this?

• In a real device, information may leak out in chan-nels that are neglected in a theoretical description.What are the potential threats in an implementation?

The whole field of QKD has developed by answeringthese and similar questions.

C. Scope of this review

1. Focus

The label “quantum cryptography” applies nowadaysto a very wide range of interests, going from abstractmathematical considerations to strictly technological is-sues.

This review focuses somewhere in the middle of thisrange, in the realm where theoretical and experimentalphysics meet, which we call practical QKD. There, theo-rists cannot pursue pure formal elegance and are com-pelled to complicate their models in order to take realeffects into account; and experimentalists must have aserious grasp of theoretical issues in order to choose theright formulas and make the correct claims about thesecurity of their devices. Specifically, we want to addressthe following two concerns:

!1" On the one hand, the theoretical tools havereached a rather satisfactory level of development;but from outside the restricted group of experts, ithas become almost impossible to follow this devel-opment. This is also because quite a few strong se-curity claims made in the past had to be reconsid-ered in the light of better understanding. Astheorists involved in the development of securityproofs, we want to provide an updated review of thestatus of such proofs.

!2" On the other hand, several competing experi-mental platforms exist nowadays. It is desirable tohave a synthetic view of those, highlighting the in-terest and possible shortcomings of each choice.Also, we want to raise awareness of the complexityof any comparison: “physical” figures of merit suchas the secret key rate or the maximal achievable dis-

tance are in competition with “practical” figures ofmerit such as stability and cost.

Throughout the review, we also make reference tosome strictly mathematical or strictly technologicalprogress, but without any claim of exhaustiveness.

2. Outline

The review is structured as follows. Section II intro-duces the basic elements of practical QKD. Section III isdevoted to the rate at which a secret key is produced:this is the fundamental parameter of QKD, and dependsboth on the speed and efficiency of the devices and onthe intrinsic security of the protocol against eavesdrop-ping. The next three sections provide a detailed analysis,with a consistent set of explicit formulas, for the threemain families of protocols: those based on discrete-variable coding !Sec. IV", those based on continuous-variable coding !Sec. V", and those based on the morerecent distributed-phase-reference coding !Sec. VI". InSec. VII, we put everything together and sketch somedirections for comparison of different experimental plat-forms. Finally, in Sec. VIII, we discuss future perspec-tives for QKD, both as a field in itself and in the broadercontext of key distribution.

II. ELEMENTS OF PRACTICAL QKD

A. Milestones

1. Foundations: 1984–1995

Quantum key distribution unfolded with the presenta-tion of the first complete protocol !Bennett and Bras-sard, 1984", which was based on earlier ideas by Wiesner!1983". In the BB84 protocol, bits are coded in twocomplementary bases of a two-level system !qubit"; thisqubit is sent by Alice to Bob, who measures it. The no-cloning theorem is explicitly mentioned as the reason forsecurity. This work was published in conference pro-ceedings and was largely unknown to the community ofphysicists. It was not until 1991, when Artur Ekert, in-dependently from the earlier developments, published apaper on quantum key distributions that the field gainedrapid popularity !Ekert, 1991". Ekert’s argument for se-curity had a different flavor: an eavesdropper introduces“elements of reality” into the correlations shared by Al-ice and Bob; so, if they observe correlations that violatea Bell inequality, the communication cannot have beencompletely broken by Eve. Shortly thereafter, Bennett,Brassard, and Mermin argued8 that entanglement-basedprotocols, such as E91, are equivalent to prepare-and-

8The argument is correct under some assumptions; onlyaround 2006 was it fully realized that Ekert’s view is qualita-tively different and allows the set of assumptions about Alice’sand Bob’s devices to be reduced; see Sec. VIII.A.3. This is alsowhy the Ekert protocol was not implemented as such in anexperiment until very recently !Ling et al., 2008".



measure protocols, such as the BB84 protocol !Bennett,Brassard, and Mermin, 1992". The same year 1992 wit-nessed two additional milestones: the invention of theB92 protocol !Bennett, 1992" and the very first in-principle experimental demonstration !Bennett,Bessette, et al., 1992". One can reasonably conclude thefoundational period of QKD with the definition of pri-vacy amplification, the classical postprocessing neededto erase Eve’s information from the raw key !Bennett etal., 1995".

2. The theory-experiment gap opens: 1993–2000

After these foundational works, the interest and fea-sibility of QKD became apparent to many. Improvedexperimental demonstrations took place, first in thelaboratory with a growing distance of optical fiber fromthe optical table !Townsend, Rarity, and Tapster, 1993;Bréguet, Muller, and Gisin, 1994; Franson and Ilves,1994", and then in installed optical fibers !Muller, Zbin-den, and Gisin, 1995", thereby demonstrating that QKDcan be made sufficiently robust for a real-world imple-mentation. In this development, an obvious milestone isthe invention of the so-called plug-and-play setups bythe Geneva group !Muller et al., 1997; Ribordy et al.,1998". By 2000, QKD over large distances was also dem-onstrated with entangled photons !Jennewein et al.,2000; Naik et al., 2000; Tittel et al., 2000".

Theorists became very active too. New protocols wereproposed. For instance, the elegant six-state protocol,first mentioned back in 1984 as a possible extension ofBB84 !Bennett et al., 1984", was rediscovered and stud-ied in greater detail !Bruß, 1998; Bechmann-Pasquinucciand Gisin, 1999". But a much more complex task was atstake: the derivation of rigorous security proofs thatwould replace the intuitive arguments and the first, ob-viously suboptimal, estimates. The first such proof wasby Mayers, who included even advanced features such asthe analysis of finite key effects !Mayers, 1996, 2001".However, this proof is not very intuitive, and otherproofs emerged, starting from the basic principle of en-tanglement distillation !Deutsch et al., 1996" which wereput into a rigorous framework by Lo and Chau !1999".These entanglement-based proofs would require theability to perform quantum logic operations on signals.At present, we do not have the experimental capabilityto do so. Therefore the result by Shor and Preskill !2000"provided a step forward, as it combined the property ofMayers’ result of using only classical error correctionand privacy amplification with a very intuitive way ofproving the security of the BB84 protocol. That resultuses the ideas of quantum error correction methods, andreduces the corresponding quantum protocol to classi-cally assisted prepare-and-measure protocol.

As of 2000 therefore, both experimental and theoret-ical QKD had made very significant advances. However,almost inevitably, a gap had opened between the two:security proofs had been derived only for very idealizedschemes; setups had been made practical without payingattention to all the security issues.

3. Closing the gap: 2000 to the present

Awareness of the gap was triggered by the discoveryof photon-number-splitting !PNS" attacks !Brassard, Lüt-kenhaus, et al., 2000" which had actually been antici-pated years before !Bennett, 1992; Huttner et al., 1995;Du!ek, Haderka, and Hendrych, 1999" but had passedrather unnoticed. The focus is on the source: the theo-retical protocols supposed single-photon sources, but ex-periments were using attenuated laser pulses, with aver-age photon numbers below 1. In these pulses, photonsare distributed according to Poissonian statistics: in par-ticular, there are sometimes two or more photons, andthis opens an important loophole. Security proofs can beadapted to deal with the case !Lütkenhaus, 2000; Got-tesman, Lo, Lütkenhaus, and Preskill, 2004; Inamori,Lütkenhaus, and Mayers, 2007": the extractable secretkey rate was found to scale much more poorly with thedistance than for single-photon sources !t2 compared tot, where t is the transmittivity of the quantum channel".

It took a few years to realize that methods can bedevised to reduce the power of PNS attacks while keep-ing the very convenient laser sources. One improvementcan be made by a mere change of software by modifyingthe announcements of the BB84 protocol !Scarani, Acín,Ribordy, and Gisin, 2004": in this SARG04 protocol, thekey rate scales as t3/2 !Koashi, 2005; Kraus, Gisin, andRenner, 2005". Another significant improvement can bemade by an easy change of hardware: by varying thequantum state throughout the protocol !decoy states",one can perform a more complete test of the quantumchannel !Hwang, 2003". When the decoy state idea isapplied to laser sources, the key rate scales as t !Lo, Ma,and Chen, 2005; Wang, 2005".

Parallel to this development, the field of practicalQKD9 has grown in breadth and maturity. New familiesof protocols have been proposed, notably continuous-variable protocols !Ralph, 1999; Hillery, 2000; Cerf,Lévy, and Van Assche, 2001; Gottesman and Preskill,2001; Grosshans and Grangier, 2002; Silberhorn et al.,2002" and the more recent distributed-phase-referenceprotocols !Inoue, Waks, and Yamamoto, 2002; Stucki etal., 2005". Critical thinking on existing setups has led tothe awareness that security against Eve tapping into thequantum channel is not all that should be considered:one should also protect the devices against more com-monplace hacking attacks and verify that informationdoes not leak out in side channels !Makarov and Hjelme,2005". Recently, QKD has also reached the commercialmarket: at least three companies10 are offering workingQKD devices. New questions can now be addressed: inwhich applications QKD can help !Alléaume et al.,

9The whole field of QKD witnessed many other develop-ments, especially in theoretical studies, which are not discussedhere but are mentioned later.

10idQuantique, Geneva !Switzerland" !www.idquantique.com"; MagiQ Technologies, Inc., New York !www.magiqtech.com"; and Smartquantum, Lannion !France" !www.smartquantum.com".



2007", how a network of QKD systems can beimplemented,11 how QKD devices can be certified forcommercial markets !including the verification thatthese devices indeed satisfy the specifications of the cor-responding security proofs", etc.

B. Generic QKD protocol

1. Classical and quantum channels

As mentioned in Sec. I.B, Alice and Bob need to beconnected by two channels. On the quantum channel,Alice can send quantum signals to Bob. Eve can interactwith these signals, but if she does, the signals arechanged because of the laws of quantum physics—theessence of QKD lies precisely here.

On the classical channel, Alice and Bob can send clas-sical messages back and forth. Eve can listen withoutpenalty to all communication that takes place on thischannel. However, in contrast to the quantum channel,the classical channel is required to be authenticated sothat Eve cannot change the messages that are being senton this channel. Failure to authenticate the classicalchannel can lead to a situation where Eve impersonatesone of the parties to the other, thus entirely compromis-ing the security. Unconditionally secure authentication12

of the classical channel requires Alice and Bob to pre-share an initial secret key or at least partially secret butidentical random strings !Renner and Wolf, 2005". QKDtherefore does not create a secret key out of nothing:rather, it expands a short secret key into a long one, sostrictly speaking it is a method of key growing. This re-mark calls for two comments. First, key growing cannotbe achieved by use of classical means alone, whenceQKD offers a real advantage. Second, it is important toshow that the secret key emerging from QKD is com-posable, that is, it can be used like a perfect randomsecret key in any task !see Sec. II.C.2" because one hasto use a part of it as authentication key for the nextround.

2. Quantum information processing

The first step of a QKD protocol is the exchange andmeasurement of signals on the quantum channel. Alice’srole is encoding: the protocol must specify which quan-tum state #%!Sn"$ codes for the sequence of n symbolsSn= &s1 , . . . ,sn'. In most protocols, but not in all, thestate #%!Sn"$ has the tensor product form #&!s1"$ ! ¯

! #&!sn"$. In all cases, it is crucial that the protocol uses aset of nonorthogonal states,13 otherwise Eve could de-code the sequence without introducing errors by mea-suring in the appropriate basis !in other words, a set oforthogonal states can be perfectly cloned". Bob’s role istwofold: his measurements of course allow the signal tobe decoded, but also an estimation of the loss of quan-tum coherence and therefore Eve’s information. For thisto be possible, noncompatible measurements must beused.

We have described the quantum coding of QKDprotocols with the language of prepare-and-measure!P&M" schemes: Alice chooses actively the sequenceSn she wants to send, prepares the state #%!Sn"$, andsends it to Bob, who performs some measurement. Anysuch scheme can be immediately translated into anentanglement-based !EB" scheme: Alice prepares the en-tangled state

#'n$AB =1

%dn(Sn

#Sn$A ! #%!Sn"$B, !4"

where dn is the number of possible Sn sequences and#Sn$A form an orthogonal basis. By measuring in this ba-sis, Alice learns one Sn and prepares the corresponding#%!Sn"$ on the subsystem that is sent to Bob: from Bob’spoint of view, nothing changes. This formal translationdoes not mean that both realizations are equally practi-cal or even feasible with present-day technology. How-ever, it implies that the security proof for the EB proto-col translates immediately to the corresponding P&Mprotocol and vice versa.

A frequently quoted statement concerning the role ofentanglement in QKD says that “entanglement is a nec-essary condition to extract a secret key” !Curty, Lewen-stein, and Lütkenhaus, 2004; Acín and Gisin, 2005". Twoimportant comments have to be made to understand thiscorrectly. First, this is not a statement about implemen-tations, but about the quantum channel: it says that nokey can be extracted from an entanglement-breakingchannel.14 In particular, the statement does not say thatentanglement-based implementations are the only se-cure ones.

Second, as formulated above, the statement has beenderived under the assumption that Eve holds a purifica-

11This is the aim of the European Network SECOQC!www.secoqc.net".

12Authentication schemes that do not rely on preshared se-crecy exist, but are not unconditionally secure. Since we aim atunconditional security for QKD, the same level of securitymust in principle be guaranteed in all auxiliary protocols.However, breaking the authentication code after one round ofQKD does not threaten security of the key that has been pro-duced; one may therefore consider authentication schemesthat guarantee security only for a limited time, e.g., thosebased on complexity assumptions.

13There is only one exception !Goldenberg and Vaidman,1995" when Alice uses just two orthogonal states. Alice pre-pares a qubit in one of the two orthogonal superpositionsof two spatially separated states; then—at a random timeinstant—she sends one component of this superposition toBob. Only later does she send the second component. Precisetime synchronization between Alice and Bob is crucial. Seealso Peres !1996", Goldenberg and Vaidman !1996", and a re-lated discussion !Koashi and Imoto, 1997". Unconditional se-curity has not been proved for this protocol.

14As the name indicates, a channel (!(!=C!(" is called en-tanglement breaking if !1 ! C"#%$AB is separable for any input#%$AB. A typical example of such a channel is obtained byperforming a measurement on half of the entangled pair.



tion of (AB, where A and B are the degrees of freedomthat Alice and Bob are going to measure. One may ask amore general question, namely, how to characterize theprivate states, i.e., the states out of which secrecy can beextracted !Horodecki et al., 2005, 2008a, 2008b". It wasrealized that, in the most general situation, Alice andBob may control some additional degrees of freedom A!and B!; thus, Eve is not given a purification of (AB, butof (AA!BB!. In such a situation, it turns out that (AB caneven be separable; as for (AA!BB!, it must be entangled,but may even be bound entangled. The reason is quiteclear: A! and B! shield the meaningful degrees of free-dom from Eve’s knowledge. We do not consider thismost general approach in what follows15 because cur-rently no practical QKD scheme with shielding systemshas been proposed.

3. Classical information processing

Once a large number N of signals have been ex-changed and measured on the quantum channel, Aliceand Bob start processing their data by exchanging com-munication via the classical channel. In all protocols, Al-ice and Bob estimate the statistics of their data; in par-ticular, they can extract the meaningful parameters ofthe quantum channel: error rate in decoding, loss ofquantum coherence, transmission rate, detection rates,etc. This step, called parameter estimation, may be pre-ceded in some protocols by a sifting phase, in which Al-ice and Bob agree to discard some symbols !typically,because Bob learns that he has not applied the suitabledecoding on those items". After parameter estimationand possibly sifting, both Alice and Bob hold a list ofn)N symbols, called raw keys. These raw keys are onlypartially correlated and only partially secret. Using someclassical information post-processing !see Sec. III.B.1",they can be transformed into a fully secure key K oflength !)n. The length ! of the final secret key dependsof course on Eve’s information about the raw keys.

4. Secret fraction and secret key rate

In the asymptotic case N!* of infinitely long keys,the meaningful quantity is the secret fraction16

r = limN!*

!/n . !5"

The secret fraction is clearly the heart of QKD: this isthe quantity for which the security proofs Sec. II.C.3must provide an explicit expression. However, a moreprosaic parameter must also be taken into account aswell in practical QKD: namely, the raw-key rate R, i.e.,the length of the raw key that can be produced per unittime. This rate depends partly on the protocol: for in-

stance, it contains the sifting factor, i.e., the fraction ofexchanged symbols that is discarded in a possible siftingphase. But certainly its largest dependence is on the de-tails of the setup: repetition rate of the source, losses inthe channel, efficiency and dead time of the detectors,possible duty cycle, etc. In conclusion, in order to assessthe performances of practical QKD systems, it is naturalto define the secret key rate as the product

K = Rr . !6"

Section III presents a detailed discussion of this quantity.As we mentioned, these definitions hold in the

asymptotic regime of infinitely long keys. When finite-key corrections are taken into account, a reduction inthe secret fraction is expected, mainly for two reasons.On the one hand, parameter estimation is made on afinite number of samples, and consequently one has toconsider the worst possible values compatible with sta-tistical fluctuations. On the other hand, the yield of theclassical postprocessing contains terms that vanish onlyin the asymptotic limit; intuitively, these correction takecare of the fact that security is never absolute: the prob-ability that Eve knows an n-bit key is at least 2#n, whichis strictly positive. In this review, we restrict our atten-tion to the asymptotic case, not because finite-key cor-rections are negligible—quite the opposite seems to betrue17—but because their estimate is still the object ofongoing research !see Sec. VIII.A.1 for the state of theart".

C. Notions of security

1. Unconditional security and its conditions

The appeal of QKD comes mainly from the fact that,in principle, it can achieve unconditional security. Thistechnical term means that security can be proved with-out imposing any restriction on the computational re-sources or the manipulation techniques that are avail-able to the eavesdropper acting on the signal. Thepossibility of achieving unconditional security in QKD isdeeply rooted in quantum physics. To learn somethingabout the key, Eve must interact with the quantum sys-tem; now, if the coding uses randomly chosen nonor-thogonal states, Eve’s intervention necessarily modifiesthe state on average, and this modification can be ob-served by the parties. As discussed in Sec. I.B, there aremany equivalent formulations of this basic principle.However formulated it must be stressed that this crite-rion can be made quantitative: the observed perturba-tions in the quantum channel allow computation of abound on the information that Eve might have obtained.

Like many other technical terms, “unconditional secu-rity” has to be used in its precise meaning given above,and not as a synonym for “absolute security”—

15Smith, Renes, and Smolin !2008" used the formalism of pri-vate states to study preprocessing !see Sec. III.B.1".

16Often, especially in theoretical studies, this quantity iscalled the “secret key rate.” Here we reserve this term for Eq.!6", which is more meaningful for practical QKD.

17For instance, in the only experiment analyzed with finite-key formalism to date !Hasegawa et al., 2007", the authors ex-tracted r)2%, whereas, for the observed error rate, theasymptotic bound would have yielded r$40%.



something that does not exist. As a matter of fact, theunconditional security of QKD holds under some condi-tions. First, there are some compulsory requirements:

!1" Eve cannot intrude into Alice’s and Bob’s de-vices to access either the emerging key or theirchoices of settings !in Sec. III.B.4 we show howcomplex it is to check this point thoroughly".!2" Alice and Bob must trust the random numbergenerators that select the state to be sent or themeasurement to be performed.

!3" The classical channel is authenticated with un-conditionally secure protocols, which exist !Carterand Wegman, 1979; Wegman and Carter, 1981; Stin-son, 1995".!4" Eve is limited by the laws of physics. This re-quirement can be sharpened: in particular, one canask whether security can be based on a restricted setof laws.18 In this review, as in the whole field of prac-tical QKD, we assume that Eve has to obey thewhole of quantum physics.

We take these requirements, the failure of whichwould obviously compromise any security, as granted.Even so, many other issues have to be settled beforeunconditional security is claimed for a given protocol:for instance, the theoretical description of the quantumstates must match the signals that are really exchanged;the implementations must be proved free of unwantedinformation leakage through side channels or backdoors, against which no theoretical protection can beinvoked.

2. Definition of security

The security of a key K can be parametrized by itsdeviation + from a perfect key, which is defined as a listof perfectly correlated symbols shared between Aliceand Bob, about which Eve has no information !in par-ticular, all possible lists must be equally probable a pri-ori". A definition of security is a choice of the quantity

that is required to be bounded by +; a key that deviatesby + from a perfect key is called + secure. The mainproperty that a definition of security must satisfy is com-posability, meaning that the security of the key is guar-anteed whatever its application may be—more preciselyif an +-secure key is used in an +!-secure task,19 compos-ability ensures that the whole procedure is at least +++! secure.

A composable definition of security is the one basedon the trace norm !Ben-Or et al., 2005; Renner andKönig, 2005": 1

2 *(KE#,K ! (E*1)+, where (KE is the ac-tual state containing some correlations between the finalkey and Eve, ,K is the completely mixed state on the setK of possible final keys, and (E is any state of Eve. Inthis definition, the parameter + has a clear interpretationas the maximum failure probability of the process of keyextraction. As shown, the issue of composability wasraised rather late in the development of QKD. Most,if not all, of the early security studies had adopteda definition of security that is not composable, butthe asymptotic bounds that were derived can be “re-deemed” using a composable definition.20

3. Security proofs

Once the security criterion is defined, one can derive afull security proof, leading to an explicit !and hopefullycomputable" expression for the length of the extractablesecret key rate. Several techniques have been used:

• The very first proofs by Mayers were somehow basedon the uncertainty principle !Mayers, 1996, 2001".

18As we have seen !Sec. I.B.2", intuition suggests that thesecurity of QKD can be traced back to a few specific principlesor laws like “no-cloning” or “nonlocality without signaling.”One may ask whether this intuition can be made fully rigorous.Concretely, since any theory that does not allow signaling andis nonlocal exhibits a no-cloning theorem !Barnum et al., 2006;Masanes, Acín, and Gisin, 2006", and since nonlocality itselfcan be checked, one may hope to derive security only from thephysical law of no signaling. In this framework, unconditionalsecurity has been proved only in the case of strictly error-freechannels and for a key of vanishing length !Barrett, Hardy, andKent, 2005". Only limited security has been proved in morerealistic cases !Acín, Gisin, and Masanes, 2006; Scarani et al.,2006". Recently, Masanes showed that unconditional compos-able security can be proved if no-signaling is assumed not onlybetween Alice and Bob, but also among the systems that aremeasured by each partner !Masanes, 2008".

19For instance, the one-time pad is a 0-secure task, while anyimplementation of channel authentication, for which a part ofthe key is used !Sec. II.B.1", must allow for a nonzero +!.

20The early proofs defined security by analogy with the clas-sical definition: Eve, who holds a quantum state (E, performsthe measurement M which maximizes her mutual informationwith the key K. This defines the so-called accessible informa-tion Iacc!K :(E"=maxE=M!(E"I!K :E", and the security criterionreads Iacc!K :(E")+. As for the history of claims, it is quiteintricate. Accessible information was first claimed to providecomposable security !Ben-Or et al., 2005". The proof is correct,but composability follows from the use of two-universal hash-ing in the privacy amplification step !see Sec. III.B.1", ratherthan from the properties of accessible information itself. In-deed, shortly thereafter, an explicit counterexample showedthat accessible information is in general not composable forany choice of the security parameter + !König et al., 2007". Thereason why accessible information is not composable can beexplained qualitatively: this criterion supposes that Eve per-forms a measurement to guess the key at the end of the keyexchange. But Eve may prefer not to measure her systemsuntil the key is actually used in a further protocol: for instance,if a plaintext attack can reveal some information, Eve shouldcertainly adapt her measurement to this additional knowledge.The counterexample also implies that the classical results onprivacy amplification by two-universal hashing !Bennett et al.,1995" do not apply and have to be replaced by a quantumversion of the statement !Renner and König, 2005".



This approach has been revived recently by Koashi!2006a, 2007".

• Most of the subsequent security proofs have beenbased on the correspondence between entanglementdistillation and classical post processing, generalizingthe techniques of Shor and Preskill !2000". For in-stance, the most developed security proofs for imper-fect devices follow this pattern !Gottesman, Lo, Lüt-kenhaus, and Preskill, 2004".

• The most recent techniques use instead information-theoretical notions !Ben-Or, 2002; Kraus, Gisin, andRenner, 2005; Renner, 2005; Renner, Gisin, andKraus, 2005".

A detailed description of how a security proof is builtgoes beyond the scope of this review. The core lies inrelating the security requirement 1

2 *(KE#,K ! (E*1)+ toa statement about the length ! of the secret key that canbe extracted. This step is achieved using inequalities thatcan be seen as a generalization of the Chernoff bound.In other words, one must use or prove an inequality ofthe form

Prob!*(KE # ,K ! (E*1 - 2+". e!#F!(KE,+", !7"

where we omitted constant factors. From such an in-equality, one can immediately see that the security re-quirement will fail with exponentially small probabilityprovided !.F!(KE ,+". Explicit security bounds will beprovided below !Sec. III.B" for the asymptotic limit ofinfinitely long keys—note that in this limit one can take+!0, whence no explicit dependence on + is manifest inthose expressions.

D. Explicit protocols

1. Three families

The number of explicit QKD protocols is virtuallyinfinite: after all, Bennett has proved that security canbe obtained when a bit is coded in just two nonortho-gonal quantum states !Bennett, 1992". But as a matterof fact this possible variety has crystallized into threemain families: discrete-variable coding !Sec. II.D.2",continuous-variable coding !Sec. II.D.3", and more re-cently distributed-phase-reference coding !Sec. II.D.4".The crucial difference is the detection scheme: discrete-variable coding and distributed-phase-reference codinguse photon counting and postselect the events in which adetection has effectively taken place, while continuous-variable coding is defined by the use of homodyne de-tection !detection techniques are reviewed in Sec. II.G".

Discrete-variable coding is the original one. Its mainadvantage is that protocols can be designed in such away that, in the absence of errors, Alice and Bob imme-diately share a perfect secret key. They are still the mostfrequently implemented QKD protocols. Any discretequantum degree of freedom can be chosen in principle,but the most frequent ones are polarization for free-space implementations and phase coding in fiber-based

implementations.21 The case for continuous-variablecoding stems from the observation that photon countersnormally feature low quantum efficiencies, high darkcount rates, and rather long dead times, while these in-conveniences can be overcome using homodyne detec-tion. The price to pay is that the protocol provides Aliceand Bob with correlated but rather noisy realization of acontinuous random variable, because losses translateinto noise !see Sec. I.B.3": as a consequence, a significantamount of error correction must be used. In short, theissue is whether it is better to build up a noiseless rawkey slowly or a noisy one rapidly. As for distributed-phase-reference coding, its origin lies in the efforts ofsome experimental groups toward a more practicalimplementation. From the point of view of detection,these protocols produce a discrete-valued result; but thenature of the quantum signals is very different from thatin discrete-variable coding, and this motivates a separatetreatment.

Despite the differences originating from the use of adifferent detection device, there is a strong conceptualunity underlying discrete- and continuous-variableQKD. To take just one example, in both cases the abilityto distribute a quantum key is closely related to the abil-ity to distribute entanglement, regardless of the detec-tion scheme used and even if no actual entanglement ispresent. These similarities are not very surprising since ithas long been known that the quantum features of lightmay be revealed either via photon counting !e.g., anti-bunching or anticorrelation experiments" or via homo-dyne detection !e.g., squeezing experiments". SinceQKD is a technique that exploits these quantum fea-tures of light, there is no reason for it to be restricted tothe photon-counting regime. Surprisingly, just as anti-bunching !or a single-photon source" is not even neededin photon-counting-based QKD, squeezing is shown notneeded in homodyne-detection-based QKD. The onlyquantum feature that happens to be needed is the non-orthogonality of light states.

2. Discrete-variable protocols

a. BB84-BBM

The best known discrete-variable protocol is of courseBB84 !Bennett and Brassard, 1984", which we intro-duced in Sec. I.B. The corresponding EB protocol isknown as BBM !Bennett, Brassard, and Mermin, 1992";the E91 protocol !Ekert, 1991" is equivalent to it whenimplemented with qubits. Alice prepares a single par-ticle in one of the four states

#+ x$, ## x$, eigenstates of /x,

21Other degrees of freedom have been explored, for instancecoding in sidebands of phase-modulated light !Mérolla et al.,1999" and time coding !Boucher and Debuisschert, 2005".Energy-time entanglement also gives rise to a peculiar form ofcoding !Tittel et al., 2000".



#+ y$, ## y$, eigenstates of /y, !8"

where /’s are Pauli operators. The states with ! codefor the bit value 0, the states with 0 for the bit value 1.Bob measures either /x or /y. In the absence of errors,measurement in the correct basis reveals the bit valueencoded by Alice. The protocol includes a sifting phase:Alice reveals the basis, X or Y, of each of her signals;Bob accepts the values for which he has used the samebasis and discards the others.22

Unconditional security of the BB84-BBM protocolshas been proved with many different techniques !May-ers, 1996, 2001; Lo and Chau, 1999; Shor and Preskill,2000; Kraus, Gisin, and Renner, 2005". The same codingcan be implemented with other sources, leading to afamily of BB84-like protocols. We review them in Sec.IV.B.

b. SARG04

The SARG04 protocol !Acín, Gisin, and Scarani,2004; Scarani, Acín, Ribordy, and Gisin, 2004" uses thesame four states Eq. !8" and the same measurements onBob’s side as BB84, but the bit is coded in the basisrather than in the state !basis X codes for 0 and basis Ycodes for 1". Bob has to choose his bases with probabil-ity 1

2 . The creation of the raw key is slightly more com-plicated than in BB84. Suppose for definiteness that Al-ice sends #+x$: in the absence of errors if Bob measuresX, he gets sb=+; if he measures Y, he may get both sb=+/# with equal probability. In the sifting phase, Bobreveals sb; Alice tells him to accept if she had prepared astate with sa#sb, in which case Bob accepts the bit cor-responding to the basis he has not used. The reason isclear in the example above: in the absence of errors, sb=# singles out the wrong basis.23

SARG04 was invented for implementations with at-tenuated laser sources because it is more robust thanBB84 against the PNS attacks. Unconditional securityhas been proved; the main results are reviewed in Sec.IV.D.

c. Other discrete-variable protocols

A large number of other discrete-variable protocolshave been proposed; all of them have features thatmakes them less interesting for practical QKD thanBB84 or SARG04.

The six-state protocol !Bennett et al., 1984; Bruß, 1998;Bechmann-Pasquinucci and Gisin, 1999" follows thesame structure as BB84, to which it adds the third mu-tually unbiased basis Z defined by the Pauli matrix /z.Its unconditional security was proved quite early !Lo,2001". The interest of this protocol lies in the fact thatthe channel estimation becomes “tomographically com-plete,” that is, the measured parameters completelycharacterize the channel. As a consequence, more noisecan be tolerated than with the BB84 or SARG04 proto-cols. However, noise is quite low in optical setups, whilelosses are a greater concern !see Sec. II.F". In this re-spect, the six-state protocol perform worse because itrequires additional lossy optical components. Similarconsiderations apply to the six-state version of theSARG04 coding !Tamaki and Lo, 2006" and to the Sin-gapore protocol !Englert et al., 2004".

The coding of BB84 and six-state protocols has beengeneralized to larger dimensional quantum systems!Bechmann-Pasquinucci and Peres, 2000; Bechmann-Pasquinucci and Tittel, 2000". For any d, protocols thatuse either two or d+1 mutually unbiased bases havebeen defined !Cerf et al., 2002". Unconditional securitywas not studied; for restricted attacks, the robustness tonoise increases with d. Time-bin coding allowsd-dimensional quantum states of light to be produced ina rather natural way !De Riedmatten, Marcikic, et al.,2004; Thew et al., 2004". However, the production anddetection of these states requires d-arm interferometerswith couplers or switches, which must moreover be keptstable. Thus, again, the possible advantages are over-come by the practical issues of losses and stability.

Finally, we mention the B92 protocol !Bennett, 1992",which uses only two nonorthogonal states, each one cod-ing for one bit value. In terms of encoding, this is obvi-ously the most economic possibility. Unfortunately, B92is a rather sensitive protocol: as noticed in the originalpaper, this protocol is secure only if some other signal!e.g., a strong reference pulse" is present along with thetwo states that code the bit. Unconditional security hasbeen proved for single-photon implementations !Ta-maki, Koashi, and Imoto, 2003; Tamaki and Lütkenhaus,2004" and for some implementations with a strong refer-ence pulse !Koashi, 2004; Tamaki et al., 2006". Inciden-tally, the SARG04 protocol may be seen as a modifiedB92, in which a second set of nonorthogonal states isadded—actually, an almost forgotten protocol served asa link between the two !Huttner et al., 1995".

3. Continuous-variable protocols

Discrete-variable coding can be implemented withseveral sources, but requires photon-counting tech-niques. An alternative approach to QKD has been sug-gested, in which the photon counters are replaced by

22In the original version of BB84, both bases are used withthe same probability so that the sifting factor is psift=1/2, i.e.,only half of the detected bits will be kept in the raw key. Butthe protocol can be made asymmetric without changing thesecurity !Lo, Chau, and Ardehali, 2005": Alice and Bob canagree on using one basis with probability 1#1, where 1 can betaken as small as one wants, so as to have psift)1 +recall thatwe are considering only asymptotic bounds; in the finite-keyregime, the optimal value of 1 can be computed !Scarani andRenner, 2008",.

23In an alternative version of the sifting, Alice reveals that thestate she sent belongs to one of the two sets &#sax$ , #say$', andBob accepts it if he has detected a state sb#sa. This is a sim-plified version with respect to the original proposal, where Al-ice could declare any of the four sets of two nonorthogonalstates. The fact that the two versions are equivalent in terms ofsecurity was not clear when the first rigorous bounds were de-rived !Branciard et al., 2005", but was verified later.



standard telecom p-i-n photodiodes, which are faster !gi-gahertz instead of megahertz" and more efficient !typi-cally 80% instead of 10%". The corresponding measure-ment schemes are then based on homodyne detection!Sec. II.G.2" and involve measuring data that are realamplitudes instead of discrete events; hence theseschemes are named continuous-variable !CV" QKD.

The first proposals suggesting the use of homodynedetection in QKD are due to Ralph !1999", Hillery!2000" and Reid !2000". In particular, a squeezed-stateversion of BB84 was proposed by Hillery !2000", whereAlice’s basis choice consists of selecting whether thestate of light sent to Bob is squeezed in the quadratureq=x or q=p. Next, this q-squeezed state is displaced in qby either +c or #c depending on a random bit chosen byAlice, where c is an appropriately chosen constant.Bob’s random basis choice defines whether it is the x orp quadrature that is measured. The sifting simply con-sists in keeping only the instances where Alice and Bob’schosen quadratures coincide. In this case, the value mea-sured by Bob is distributed according to a Gaussian dis-tribution centered on the value !+c or #c" sent by Alice.In some sense, this protocol can be viewed as “hybrid”because Alice’s data are binary while Bob’s data are real!Gaussian distributed".

These early proposals and their direct generalizationare called CV protocols with discrete modulation; at thesame time, another class of CV protocols was proposedthat instead use a continuous modulation, in particular aGaussian modulation. Although CV protocols are muchmore recent than discrete-variable protocols, their secu-rity proofs have been progressing steadily over recentyears, and are now close to reaching a comparable sta-tus, see Sec. V.A

a. Gaussian protocols

The first proposed Gaussian QKD protocol was basedon squeezed states of light, which are modulated with aGaussian distribution in the x or p quadrature by Alice,and are measured via homodyne detection by Bob !Cerf,Lévy and Van Assche, 2001". This protocol can beviewed as the proper continuous-variable counterpart ofBB84 in the sense that the average state sent by Alice isthe same regardless of the chosen basis !it is a thermalstate, replacing the maximally mixed qubit state inBB84". The security of this protocol can be analyzedusing the connection with continuous-variable cloning!Cerf, Ipe, and Rottenberg, 2000"; using a connectionwith quantum error-correcting codes, unconditional se-curity was proved when the squeezing exceeds 2.51 dB!Gottesman and Preskill, 2001". The main drawback ofthis protocol is the need for a source of squeezed light.

A second Gaussian QKD protocol was therefore de-vised, in which Alice generates coherent states of light,which are then Gaussian modulated in both x and p,while Bob still performs homodyne detection !Gross-hans and Grangier, 2002a". A first proof-of-principle ex-periment, supplemented with the technique of reverse

reconciliation,24 was run with bulk optical elements onan optics table !Grosshans, Van Assche, et al., 2003".Subsequent experiments have used optical fibers andtelecom wavelengths. The scheme was thus imple-mented over distances up to 14 km using a plug-and-play configuration !Legré, Zbinden, and Gisin, 2006";then up to 25 km by time multiplexing the local oscilla-tor pulses with the signal pulses in the same optical fiberand using an improved classical postprocessing!Lodewyck et al., 2005; Lodewyck, Bloch, et al., 2007".Another fiber-based implementation over 5 km hasbeen reported !Qi, Fung, et al., 2007".

Note that, in these two first protocols, Bob randomlychooses to homodyne one quadrature, either x or p. Inthe squeezed-state protocol, this implies the need forsifting. Bob indeed needs to reject the instances wherehe measured the other quadrature rather than the onemodulated by Alice, which results in a decrease in thekey rate by a factor of 2 !this factor may actually bereduced arbitrarily close to 1 by making an asymmetricchoice between x and p, provided that the key length issufficiently large" !Lo, Chau, and Ardehali, 2005". In thecoherent-state protocol, Alice simply forgets the quadra-ture that is not measured by Bob, so that all pulses docarry useful information that is exploited to establish thefinal secret key.

The fact that Alice, in this second protocol, discardshalf of her data may look like a loss of efficiency sincesome information is transmitted and then lost. A thirdGaussian QKD protocol was therefore proposed !Weed-brook et al., 2004", in which Alice still transmits doublymodulated coherent states drawn from a bivariateGaussian distribution, but Bob performs heterodyne in-stead of homodyne measurements,25 that is, he measuresboth x and p quadratures simultaneously. At first sight,this seems to imply that the rate is doubled since Bobthen acquires a pair of quadratures !x ,p". Actually, sinceheterodyne measurement effects one additional unit ofvacuum noise on the measured quadratures, the twoquadratures received by Bob are noisier than the singlequadrature in the homodyne-based protocol. The net ef-fect, however, is often an increase in the key rate whenthe two quadratures are measured simultaneously. In ad-dition, a technological advantage of this heterodyne-based coherent-state protocol is that there is no need tochoose a random quadrature at Bob’s side !that is, noactive basis choice is needed". The experiment has beenrealized !Lance et al., 2005".

Finally, a fourth Gaussian QKD protocol was intro-duced recently !García-Patrón, 2007", which completes

24In all Gaussian QKD protocols, reversing the one-way rec-onciliation procedure !i.e., using Bob’s measured data insteadof Alice’s sent data as the raw key" is beneficial in terms ofattainable range, provided that the noise is not too large. Wereturn to this point in Sec. V.

25This possibility was also suggested for postselection-basedprotocols by Lorenz, Korolkova, and Leuchs !2004", and theexperiment has been performed !Lorenz et al., 2006".



this family of Gaussian QKD protocols. Here Alicesends again squeezed states, as in the protocol of Cerf,Lévy, and Van Assche !2001", but Bob performs hetero-dyne measurements, as in the protocol of Weedbrook etal. !2004". This protocol is associated with the highestrate and range among all Gaussian QKD protocols, butrequires a source of squeezed light.

As seen in the above discussion about BB84 andSARG04 protocols, it turns out for the CV QKD proto-cols that classical processing is also an essential elementof the protocol. As discussed later !Sec. V.A", the per-formance of CV-QKD protocols depends crucially onthe exact protocol that extracts the secret key from theexperimental data. Two important tools here are reversereconciliation !Grosshans and Grangier, 2002a" andpostselection !Silberhorn et al., 2002". As shown by Heidand Lütkenhaus !2007", the combination of both willlead to the optimal key rate.

b. Discrete-modulation protocols

For practical implementation, it is desirable to keepthe number of signals as low as possible, and to mini-mize the number of parameters in the detection processthat need to be monitored. The reason behind this isthat in practical implementation at some stage one hasto consider finite-size effects in the statistics and in thesecurity proof stage. For a continuous family of signals,it will be intuitively harder to determine these finite-sizeeffects and to include statistical fluctuations of observa-tions in a full security proof.

For this reason, it is interesting to study QKD sys-tems that combine a finite number of signals withthe continuous-variable detection schemes: discrete-modulation protocols have been devised following thisproposal, some based on coherent states instead ofsqueezed states !Silberhorn et al., 2002". The signals con-sist here of a weak coherent state together with a strongphase reference. The signal is imprinted onto the weakcoherent state by setting the relative optical phase be-tween weak coherent state and reference pulse to either0 or 2. Schematically, the strong phase reference couldbe represented by two local oscillators, e.g., phase-locked lasers at the sending and receiving stations.These types of signals were already used in the originalB92 protocol !Bennett, 1992". The receiver then uses thelocal oscillator in the homodyne or heterodyne measure-ment. The security of this protocol is still based on thefact that the weak signal pulses represent nonorthogonalsignal states.

On the receiver side, homodyne detection is per-formed by choosing at random one of the two relevantquadrature measurement !one quadrature allows mea-surement of the bit values; the other serves the purposeof monitoring the channel to limit possible eavesdrop-ping attacks". Alternatively, a heterodyne measurementcan monitor both quadratures. Consider for definitenessa simple detection scheme, in which bit values are as-signed by the sign of the detection signal, ! or 0, withrespect to the half planes in the quantum optical phasespace in which the two signals reside. As a result, both

sender and receiver have binary data at hand. As in thecase of Gaussian modulation, they can now performpostselection of data, and use error correction and pri-vacy amplification to extract secret keys from these data.

4. Distributed-phase-reference protocols

Both discrete- and continuous-variable protocols wereinvented by theorists. Some experimental groups, intheir developments toward practical QKD systems, haveconceived new protocols, which do not fit in the catego-ries above. In these, as in discrete-variable protocols, theraw keys are made up of realizations of a discrete vari-able !a bit" and are already perfectly correlated in theabsence of errors. However, the quantum channel ismonitored using the properties of coherent states—more specifically, by observing the phase coherence ofsubsequent pulses; whence the name distributed-phase-reference protocols.

The first such protocol has been called the differentialphase shift !DPS" !Inoue, Waks, and Yamamoto, 2002,2003". Alice produces a sequence of coherent states ofthe same intensity,

#%!Sn"$ = ¯ #ei3k#1%4$#ei3k%4$#ei3k+1%4$ ¯ , !9"

where each phase can be set at 3=0 or 2 !Fig. 2". Thebits are encoded in the difference between two succes-sive phases: bk=0 if ei3k =ei3k+1 and bk=1 otherwise. Thiscan be unambiguously discriminated using an unbal-anced interferometer. The complexity in the analysisof this protocol lies in the fact that #%!Sn"$# #&!b1"$ !

¯ ! #&!bn"$: the kth pulse contributes to both the kthand !k+1"st bits. The DPS protocol has already been theobject of several experiments !Takesue et al., 2005, 2007;Diamanti et al., 2006".

In the protocol called coherent one way !COW" !Gi-sin et al., 2004; Stucki et al., 2005", each bit is encoded ina sequence of one nonempty and one empty pulse,

#0$k = #%4$2k#1#0$2k, #1$k = #0$2k#1#%4$2k. !10"

These two states can be unambiguously discriminatedin an optimal way by measuring the time of arrival

tB DB

DM1

DM2

1 t! B

Alice Bob

Laser IM

D0

Alice

Laser PM

"##""#Bob

D1

FIG. 2. The two-distributed-phase reference protocol: differ-ential phase shift !DPS, top" and coherent one-way !COW,bottom". Legend: PM, phase modulator; IM, intensity modula-tor. See text for description.



!Fig. 2". For the channel estimation, one checks the co-herence between two successive nonempty pulses; thesecan be produced on purpose as a “decoy sequence”#%4$2k#1#%4$2k, or can happen as #%4$2k#%4$2k+1 across abit separation, when a sequence #1$k#0$k+1 is coded. Thislast check, important to detect PNS attacks, implies thatthe phase between any two successive pulses must becontrolled; therefore, as happens for DPS, the whole se-quence must be considered as a single signal. A proto-type of a full QKD system based on COW has beenreported recently !Stucki et al., 2008".

Both DPS and COW are P&M schemes, tailored forlaser sources. It has not yet been possible to derive abound for unconditional security because the existingtechniques apply only when #%!Sn"$ can be decomposedinto independent signals. We review the status of partialsecurity proofs in Sec. VI.

E. Sources

1. Lasers

Lasers are the most practical and versatile lightsources available today. For this reason, they are cho-senby the vast majority of groups working in the field.Of course, all implementations in which the source is alaser are P&M schemes. For the purposes of this review,we do not delve deep into laser physics. The output of alaser in a given mode is described by a coherent state ofthe field,

#%4ei5$ - #6$ = e#4/2(n=0

*6n

%n!#n$ , !11"

where 4= #62# is the average photon number !also calledthe intensity". The phase factor ei5 is accessible if a ref-erence for the phase is available; if not, the emitted stateis instead described by the mixture

( = .0

22 d522

#6$/6# = (n

P!n#4"#n$/n# !12"

with

P!n#4" = e#44n/n!. !13"

Since two equivalent decompositions of the same den-sity matrix cannot be distinguished, one may say that, inthe absence of a phase reference, the laser produces aPoissonian mixture of number states.

The randomization of 5 generalizes to multimode co-herent states !Mølmer, 1997; van Enk and Fuchs, 2002".Consider, for instance, the two-mode coherent state#%4ei!5+3"$ #%4!ei5$ which may describe, for instance, aweak pulse and a reference beam. The phase 3 is therelative phase between the two modes and is well de-fined, but the common phase 5 is random. One can thencarry out the same integration as before; the resulting( is the Poissonian mixture with average photonnumber 4+4! and the number states generated in themode described by the creation operator A†= !ei3%4a1

†

+%4!a2†" /%4+4!.

We turn now to QKD. The existence of a referencefor the phase is essential in both continuous-variableand distributed-phase-reference protocols: after all,these protocols have been designed having the laser spe-cifically in mind as a source. On the contrary, whenattenuated lasers are used to approximate qubits indiscrete protocols, the phase reference does not playany role. In these implementations, ( given in Eq. !12"is generically26 an accurate description of the quantumsignal outside Alice’s laboratory. Since ( commutes withthe measurement of the number of photons, this opensthe possibility of photon-number-splitting attacks !Ben-nett, 1992; Brassard, Lütkenhaus, et al., 2000; Lütken-haus, 2000", a major concern in practical QKD which isaddressed in Sec. III.B.3.

2. Sub-Poissonian sources

Sub-Poissonian sources !sometimes called “single-photon sources”" come closer to a single-photon sourcethan an attenuated laser, in the sense that the probabilityof emitting two photons is smaller. The quantum signalin each mode is taken to be a photon-number diagonalmixture with a very small contribution of the multipho-ton terms. The quality of a sub-Poissonian source is usu-ally measured through the second-order correlationfunction

g2!," =/:I!t"I!t + ,":$

/I!t"$2 , !14"

where I!t" is the signal intensity emitted by the sourceand : : denotes normal ordering of the creation and an-nihilation operators. In particular, g2!0")2p!2" /p!1"2,while p!n" is the probability that the source emits n pho-tons. For Poissonian sources, g2!0"=1; the smaller g2!0",the closer the source is to an ideal single-photon source.It has been noticed that knowledge of the efficiency andg2 is enough to characterize the performance of such asource in an implementation of BB84 !Waks, Santori,and Yamamoto, 2002a".

Sub-Poissonian sources have been the object of inten-sive research; recent reviews cover the most meaningfuldevelopments !Lounis and Orrit, 2005; Shields, 2007". Inthe context of QKD, the discovery of PNS attacks trig-gered much interest in sub-Poissonian sources becausethey would reach much higher secret fractions. QKDexperiments have been performed with such sources!Beveratos et al., 2002; Waks, Inoue, et al., 2002; Al-

26One must be careful due to the fact that the phase referenceis not used in the protocol does not necessarily mean that sucha reference is physically not available. In particular, such ref-erence is available for some sources, e.g., when a mode-lockedlaser is used to produce pulses. In such cases, even thoughAlice and Bob do not use the phase coherence in the protocol,the signal is no longer correctly described by Eq. !12", and Evecan in principle take advantage of the existing coherence toobtain more information !Lo and Preskill, 2007". Therefore itis necessary to implement active randomization !Gisin et al.,2006; Zhao, Qi, and Lo, 2007".



léaume et al., 2004", and also in fibers !Intallura et al.,2007" thanks to the development of sources at telecomwavelengths !Ward et al., 2005; Saint-Girons et al., 2006,Zinoni et al., 2006". Currently this interest has signifi-cantly dropped, as it was shown that the same rate canbe achieved with lasers using decoy states !see Secs.IV.B.3 and IV.B.4". But the situation may turn again inthe near future, for applications in QKD with quantumrepeaters !Sangouard et al., 2007".

3. Sources of entangled photons

Entangled photon pairs suitable for entanglement-based protocols or for heralded sub-Poissonian sourcesare mostly generated by spontaneous parametric down-conversion !SPDC" !Mandel and Wolf, 1995". In thisprocess some photons from a pump laser beam are con-verted into pairs of photons with lower energies due tononlinear interaction in an optical crystal.27 The totalenergy and momentum are conserved. In QKD devices,cw-pumped sources are predominantly used.

In the approximation of two output modes, the statebehind the crystal can be described as follows:

#&$PDC = %1 # 72(n=0

*

7n#nA,nB$ , !15"

where 7=tanh 8 with 8 proportional to the pump ampli-tude, and where #nA ,nB$ denotes the state with n pho-tons in the mode destined to Alice and n photons in theother mode going to Bob. This is the so-called two-modesqueezed vacuum.

The photons are entangled in time and in frequencies!energies"; one can also prepare pairs of photons corre-lated in other degrees of freedom: polarization !Kwiat etal., 1995, 1999", time bins !Brendel et al., 1999; Tittel etal., 2000", momenta !directions", or orbital angular mo-menta !Mair et al., 2001".

The state !15" can be directly utilized in continuous-variable protocols. In the case of discrete-variable pro-tocols, one would prefer only a single pair of photonsper signal; however, SPDC always produces multi-pair components, whose presence must be taken intoaccount. We describe this in the four-mode approxima-tion, which is sufficient for the description of fs-pulse-pumped SPDC !Li et al., 2005". An ideal two-photonmaximally entangled state reads #%2$= 1

%2 !#1,0$A#1,0$B+ #0,1$A#0,1$B", where each photon can be in two differ-ent modes !orthogonal polarizations, different time bins,etc.". This state can be approximately achieved if 791,i.e., if the mean pair number per pulse 4=272 / !1#72"

91. But there are multipair components: in fact, as inthe case of a four-mode approximation, the generatedstate reads

#%$ ) %p!0"#0$ + %p!1"#%2$ + %p!2"#%4$ , !16"

where p!1")4 and p!2") 3 / 442, #0$ is the vacuum state,and the four-photon state is #%4$= 1 /%3 !#0,2$#0,2$+ #2,0$#2,0$+ #1,1$#1,1$". We recall that this description isgood for short pump pulses; when a cw-pumped sourceis used !or a pulse-pumped source with the pulse dura-tion much larger than the coherence time , of the down-converted photons" the four-mode approximation is notapplicable and a continuum of frequency modes must betaken into account. The multiple excitations created dur-ing the coherence time , are coherent and partially cor-related: in this case, the four-photon state is a fully en-tangled state that cannot be written as “two pairs”—see#%4$ above.28 However, , is usually much shorter thanthe typical time :t that one can discriminate, this timebeing defined as the time resolution of the detectors forcw-pumped sources29 or as the duration of a pulse forpulsed sources. This implies that, when two photons ar-rive “at the same time,” they may actually arise fromtwo incoherent processes, and in this case the observedstatistics corresponds to that of two independent pairs.This physics has been the object of several studies !Tap-ster and Rarity, 1998; Ou, Rhee, and Wang, 1999; DeRiedmatten, Scarani; et al., 2004, Eisenberg et al., 2004;Tsujino et al., 2004; Scarani et al., 2005".

What concerns us here is the advantage that Eve mayobtain, and in particular the efficiency of PNS attacks. Ifthe source is used in a P&M scheme as a heraldedsingle-photon source, then the PNS attack is effective asusual, because all photons that travel to Bob have beenactively prepared in the same state !Lütkenhaus, 2000";ideas inspired by decoy states can be used to detect it!Adachi et al., 2007; Mauerer and Silberhorn, 2007". Inan EB scheme, the PNS attack is effective on the frac-tion ;), /:t of coherent four-photon states; in addition,all multipair contributions inevitably produce errors inthe correlations between Alice and Bob. We return tothese points in Sec. IV.B.5.

F. Physical channels

As far as the security is concerned, the quantum chan-nel must be characterized only a posteriori because Evehas full freedom of action on it. However, knowledge ofthe a priori expected behavior is important at the timeof designing a setup. We review here the physics of the

27Crystals such as KNbO3, LiIO3, LiNbO3, <#BaB2O4, etc.Periodically poled nonlinear materials are very promising!Tanzilli et al., 2001". Besides the spontaneous parametricdown-conversion, new sources of entangled photons based onquantum dots have been tested !Young et al., 2006". But thesesources are still at an early stage of development. Their maindrawback is the need for a cryogenic environment.

28Although a nuisance in qubit-based protocols, the existenceof such four photon components can lead to new opportunitiesfor QKD, as pointed out Brassard, Mor, and Sabders !2000"and Durkin et al. !2002".

29However, a recent entanglement-swapping experimentcombined fast detectors and narrow filters to achieve :t#, incw-pumped SPDC !Halder et al., 2007".



two main quantum channels used for light, namely, op-tical fibers and free-space beams.

An important parameter of the quantum channel isthe amount of loss. Certainly, a key can be built by post-selecting only those photons that have actually been de-tected. But since quantum signals cannot be amplified,the raw key rate decreases with the distance as the trans-mission t of the channel; in addition, at some point thedetection rate reaches the level of the dark counts of thedetectors, and this effectively limits the maximal achiev-able distance. Finally, in general the lost photons arecorrelated with the signal and thus must be counted asinformation that leaked to Eve.

Concerning the interaction of photons with the envi-ronment in the channel, the effect of decoherence de-pends strongly on the quantum degree of freedom that isused; therefore, although weak in principle, it cannot befully neglected and may become critical in some imple-mentations.

1. Fiber links

The physics of optical fibers has been explored indepth because of its importance for communication!Agrawal, 1997". When we quote a value, we refer tothe specifications of the standard fiber CorningSMF-28;30 obviously, the actual values must be measuredin any experiment.

Losses are due to random scattering processes anddepend therefore exponentially on the length !,

t = 10#6!/10. !17"

The value of 6 is strongly dependent on the wave-length and is minimal in the two “telecom windows”around 1330 nm !600.34 dB/km" and 1550 nm !600.2 dB/km".

The decoherence channels and their importance varywith the coding of the information. Two main effectsmodify the state of light in optical fibers. The first effectis chromatic dispersion different wavelengths travel atslightly different velocities, thus leading to an incoherenttemporal spread of a light pulse. This may become prob-lematic as soon as subsequent pulses start to overlap.However, chromatic dispersion is a fixed quantity for agiven fiber, and can be compensated !Fasel, Gisin, Ri-bordy, and Zbinden, 2004". The second effect is polariza-tion mode dispersion !PMD" !Gisin and Pellaux, 1992;Galtarossa and Menyuk, 2005". This is a birefringent ef-fect, which defines a fast and a slow polarization modeorthogonal to one another, so that any pulse tends tosplit into two components. This induces a depolarizationof the pulse. Moreover, the direction of the birefrin-gence may vary in time due to environmental factors: asthus, it cannot be compensated statically. Birefringenceeffects induce decoherence in polarization coding, andmay be problematic for all implementations that requirea control on polarization. The importance of such effects

depends on the fibers and on the sources; recent imple-mentations can be made stable, even though they use arather broadband source !Hübel et al., 2007".

2. Free-space links

A free-space QKD link can be used in several verydifferent scenarios, from short-distance line-of-sightlinks with small telescopes mounted on rooftops in ur-ban areas to ground-space or even space-space links, in-volving the use of astronomical telescopes !see also Sec.VIII.A.4". Free-space QKD has been demonstrated inboth the prepare-and-measure !Buttler et al., 1998; Rar-ity, Gorman, and Tapster, 2001; Hughes et al., 2002;Kurtsiefer et al., 2002" and the entanglement-based con-figurations !Marcikic, Lamas-Linares, and Kurtsiefer,2006; Ursin et al., 2007 Erven et al., 2008; Ling et al.,2008".

The decoherence of polarization or of any other de-gree of freedom is practically negligible. The losses canroughly be divided into geometric and atmospheric. Thegeometric losses are related to the apertures of the re-ceiving telescopes and with the effective aperture of thesending telescope !the one perceived by the receivingtelescope, which is influenced by alignment, movingbuildings, atmospheric turbulence, etc.". The atmo-spheric losses are due to scattering and to scintillation.Concerning scattering, within the 700–10 000 nm wave-length range there are several “atmospheric transmis-sion windows,” e.g., 780–850 nm and 1520–1600 nm,which have an attenuation 6#0.1 dB/km in clearweather. Obviously, the weather conditions influencesuch losses heavily; numerical values are available+see, e.g., Kim and Korevaar !2001" and Bloom et al.,!2003",. A simple model of the losses for a line-of-sightfree-space channel of length ! is therefore given byt)+dr / !ds+D!",2"10#6!/10, where the first term is an es-timate of the geometric losses !ds and dr are the aper-tures of the sending and receiving telescopes; D is thedivergence of the beam" and the second describes scat-tering !6 is the atmospheric attenuation". We note thatthis formula does not account for scintillation, which isoften the most critical factor in practice.

G. Detectors

1. Photon counters

Discrete-variable protocols use photon counters asdetectors. The main quantities characterizing photoncounters are the quantum efficiency =, which representsthe probability of a detector click when the detector ishit by a photon, and the dark count rate pd, characteriz-ing the noise of the detector—dark counts are eventswhen a detector sends an impulse even if no photon hasentered it. An important parameter is also the dead timeof the detector, i.e., the time it takes to reset the detectorafter a click. These three quantities are not independent.Most often, the overall repetition rate at which the de-tector can be operated is determined by the dead time.30See www.ee.byu.edu/photonics/connectors.parts/smf28.pdf



For each of the detectors discussed below, the meaning-ful parameters are listed in Table I.

The most commonly used photon counters in discrete-variable systems are avalanche photodiodes !APDs".Specifically, for wavelengths in the interval approxi-mately 400–1000 nm Si APDs can be used; for wave-lengths from about 950 to 1650 nm, including telecomwavelengths, InGaAs/InP diodes are most often ap-plied. A whole literature on the use of APDs has origi-nated in the field of QKD !Gisin, Ribordy, Tittel, andZbinden, 2002; Cova et al., 2004". Because they can beoperated with thermoelectric cooling, these detectorsare an obvious choice for practical QKD, and in particu-lar for commercial devices !Ribordy et al., 2004; Tri-fonov et al., 2004". Two recent developments are worthmentioning. First, instead of directly using InGaAsAPDs, one can detect signals at telecom wavelengths!1310 and 1550 nm" by applying parametric frequencyup-conversion and then using efficient silicon APDs!Diamanti et al., 2005; Thew et al., 2006". These up-conversion detectors have lower quantum efficiencythan InGaAs APDs, but could in principle be operatedin continuous mode, thus leading to higher repetitionrates !gigahertz"; however, currently, they suffer from anintrinsic noise source that leads to high dark count rates.Second, more recently, an improvement of the repetitionrate and count rate by several orders of magnitude hasbeen obtained using a circuit that compares the outputof the APD with that in the preceding clock cycle; suchdevices have been named self-differencing APDs !Yuan,Kardynal, et al., 2007".

Single-photon detectors other than APDs have beenand are being developed. For instance, visible light pho-ton counters !VLPCs" are semiconductor detectors thatcan also distinguish the number of impinging photons!Kim et al., 1999; Waks et al., 2003; Waks, Diamanti, andYamamoto, 2006". Other photon counters are based onsuperconductors, for instance superconducting single-photon detectors !SSPDs" !Verevkin et al., 2002, 2004"and transition edge sensors !TESs" !Miller et al., 2003;Rosenberg et al., 2005"; both types have already beenused in QKD experiments !Hadfield et al., 2006; Hiskett

et al., 2006; Rosenberg et al., 2007, 2008". Each type hasits own strong and weak features; in particular, all ofthem must be operated at cryogenic temperatures.

2. Homodyne detection

Continuous-variable QKD is based on the measure-ment of quadrature components of light. This can con-veniently be done by means of optical homodyne detec-tion. This detection scheme uses two beams of the samefrequency: the signal and the so-called local oscillator!much stronger and therefore often treated as classical".The beams are superimposed at a balanced beam split-ter. The intensity of light in each of the output modes ismeasured with proportional detectors, and the differ-ence between the resulting photocurrents is recorded. Ifthe amplitude and the phase of the local oscillator arestable, the differential current carries information abouta quadrature component of the input signal—whatquadrature component is actually measured depends onthe phase difference between the signal and local oscil-lator. To keep this phase difference constant, the signaland local oscillator are usually derived from the samelight source: the local oscillator beam needs to be trans-mitted along with the signal from Alice to Bob; in prac-tice, they are actually sent through the same channel sothat they experience the same phase noise and the rela-tive phase remains unaltered—note, however, that thispractical change may render the scheme completely in-secure, unless additional measurements are performedto verify the character of both the weak and strong sig-nals !Häseler, Moroder, and Lütkenhaus, 2008".

The intensities are measured by p-i-n diodes, whichprovide high detection efficiency !typically 80%" andrelatively low noise. Therefore homodyne detectioncould in principle operate at gigahertz repetition rates!Camatel and Ferrero, 2006" in contrast to photoncounters based on APDs, whose detection rate is limitedby the detector dead time.

The use of such a high-rate homodyne detection tech-nique unfortunately comes with a price. Because of theuncertainty principle, the measurement of complemen-

TABLE I. Typical parameters of single-photon detectors: detected wavelength 7, quantum efficiency=, fraction of dark counts pd, repetition rate, maximum count rate, jitter, and temperature of opera-tion T; the last column refers to the possibility of distinguishing the photon numbers. For acronymsand references, see text.

Name7

!nm" = pd

Rep.!MHz"

Count!MHz"

Jitter!ps"

T!K" n

APDsSi 600 50% 100 Hz cw 15 50–200 250 NInGaAs 1550 10% 10#5 per gate 10 0.1 500 220 NSelf-differencing 1250 100 60

OthersVLPC 650 58–85 % 20 kHz cw 0.015 N.A. 6 YSSPD 1550 0.9% 100 Hz cw N.A. 68 2.9 NTES 1550 65% 10 Hz cw 0.001 9"104 0.1 Y



tary quadratures is intrinsically noisy. The vacuum noise!or intrinsic noise" is the noise obtained when there isvacuum in the signal port !only the local oscillator ispresent". Now, the unavoidable transmission losses inthe optical line, which simply cause “missing clicks” inphoton-counting-based schemes, result in a decrease inthe signal-to-noise ratio in homodyne-detection-basedschemes. The vacuum noise is responsible for a rathersignificant added noise in continuous-variable QKD,which needs to be corrected during the classical postpro-cessing stage: an additional computing effort incontinuous-variable QKD.

In addition to the vacuum noise, excess noise is gen-erated, mainly by the detectors themselves and by thesubsequent electronics. In real systems, it is possible toreduce the excess noise even 20 dB below the shot noise;but this ratio depends on the width of the spectral win-dow, and narrow spectral windows bound the modula-tion frequencies !i.e., the repetition rates".

H. Synchronization and alignment

1. Generalities

The problem of the synchronization of two distantclocks, in itself, is a technical matter that has beensolved efficiently in several different ways; basically, ei-ther one sends out a synchronization signal at regularintervals during the whole protocol or one relies on aninitial synchronization of two sufficiently stable clocks.In the context of QKD, one has to consider possiblehacking attacks that would exploit this channel !see Sec.III.B.4".

The physical meaning of alignment depends on thecoding. For coding in polarization, it obviously meansthat Alice and Bob agree on the polarization directions.For phase coding, it refers rather to the stabilization ofinterferometers. Both procedures are most often per-formed by sending a space signal at a different fre-quency than the quantum signal, taking advantage of thebandwidth of the optical channel. Alternatively, self-stabilized setups have been proposed: this is the so-called plug-and-play configuration, described next in thecontext of phase coding.

Before that, we have to mention that quantum me-chanics also allows for a coding that does not requireany alignment by exploiting the so-called “decoherence-free subspaces” !Zanardi and Rasetti, 1997; Boileau etal., 2004". However, although demonstrated in someproof-of-principle experiments !Bourennane et al., 2004;Chen et al., 2006", such coding is highly impractical, as itrequires the preparation and measurement of complexmultiphoton states; moreover, it is very sensitive tolosses.31

2. Phase coding: Two configurations

We consider P&M schemes with phase coding. Thiscoding has been the preferential choice in fiber imple-mentations and has given rise to two possible configura-tions !Fig. 3". In the configuration called one-way, thelaser is on Alice’s side; it is typically realized with adouble Mach-Zehnder interferometer !Bennett, 1992;Townsend, Rarity, and Tapster, 1993". The other possibleconfiguration has been called plug-and-play configura-tion !Muller et al., 1997; Ribordy et al., 1998". As thename suggests, the goal of the plug-and-play configura-tion is to achieve self-alignment of the system. In con-trast to the one-way configuration, the plug-and-playconfiguration puts the source of light on Bob’s side: astrong laser pulse travels in the quantum channel fromBob to Alice. Alice attenuates this light to a suitableweak intensity !less than one photon per pulse on aver-age; a more precise estimate is given below and in Sec.IV.B.4", codes the information, and sends the remaininglight back to Bob, who detects. The coded signal goes asusual from Alice to Bob; but the same photons have first

31The simplest example is the singlet state of two qubits:when both qubits are sent into the quantum channel, the stateis robust against any misalignment U since U ! U#%#$= #%#$.With four physical qubits, there are two orthogonal states suchthat U ! U ! U ! U#&0,1$= #&0,1$; therefore, one can form an ef-

fective logical qubit #0$-#&0$ and #1$-#&1$ that is insensitive tomisalignments. The states #&0,1$ are not easy to prepare and todetect. As a matter of fact, the available experiments did notproduce those states: they produced a quite complex photonicstate that gives the required statistics conditioned on the ob-servation of a specific detection pattern. In turn, this impliesthat all four photons must be transmitted and detected; there-fore losses lead to a very fast decrease in the detection rate.

D0

Alice

Laser

!!

Bob

D1

"

D0

Alice LaserBob

D1

R

CFM

DL

PD

Att.

FIG. 3. Comparison of the one-way and two-way configura-tions for phase coding. The one-way configuration is calleddouble Mach-Zehnder !top". Alice splits each laser pulse intotwo pulses with relative phase 6; if Bob’s phase is such that6#<=0 modulo 2, the outcome is deterministic in the absenceof errors. In the two-way configuration, or plug-and-play !bot-tom", the source of light is on Bob’s side. In detail, an intenselaser pulse is sent through a circulator !C" into Bob’s interfer-ometer. The phase modulator is passive at this stage, but apolarization rotation !R" is implemented so that all the lightfinally couples in the fiber. On Alice’s side, part of the light isdeflected to a proportional detector !PD" that is used to moni-tor Trojan horse attacks. The remaining light goes to a Faradaymirror !FM" that sends each polarization to the orthogonalone. On the way back, the pulses are attenuated down to asuitable level; then the coding is done as above. The role of thedelay line !DL" is explained in the text.



traveled through the line going from Bob to Alice. Inthis way, the interferometers become self-stabilized be-cause the light passes through them twice; if the reflec-tion on Alice’s side is done with a Faraday mirror, polar-ization effects in the channel are compensated as well.These two configurations have shaped the beginning ofpractical QKD; we refer the reader to a previous review!Gisin, Ribordy, Tittel, and Zbinden, 2002" for a thor-ough discussion.

It is useful here to address some problems that arespecific for the plug-and-play configuration since theyillustrate the subtleties of practical QKD. The systemhas an intrinsic duty cycle, which limits the rate at longdistances: Bob must wait through a go-and-return cyclebefore sending other strong signals, otherwise the weaksignal coded by Alice will be overwhelmed by the back-scattered photons of the new strong ones.32 This nui-sance has been reduced by having Bob send not just onepulse, but a train of pulses; on Alice’s side, a sufficientlylong delay line must be added: all pulses must havepassed the phase modulator before the first one comesback and is coded. Still, this duty cycle is a seriousbottleneck compared to one-way configurations.

Two specific security concerns also arise for the plug-and-play configuration. First, in full generality, there isno reason to assume that Eve interacts only with thesignal going from Alice to Bob; she might as well modifythe signal going from Bob to Alice. A simple argumentsuggests that this is not helpful for Eve: Alice attenuatesthe light strongly and should actively randomize the glo-bal phase; then, whatever the state of the incoming light,the outgoing coded light consists of weak signals withalmost exact Poissonian statistics !Gisin et al., 2006". In-deed, a rigorous analysis shows that unconditional secu-rity can be proved if the global phase is actively random-ized, and that the resulting secret fractions are onlyslightly lower than those achievable with the one-wayconfiguration !Zhao, Qi, and Lo, 2008". The second con-cern is that, since Alice’s box must allow two-way transitof light, Trojan horse attacks !see III.B.4" must be moni-tored actively, whereas in one-way setups they can beavoided by use of passive optical isolators. In practice,this may decrease the limiting distance.33

It is not obvious what the future perspectives of theplug-and-play configuration will be: recently, stabilizedone-way configurations have been demonstrated, whichcan also reach optical visibilities larger than 99% andhave a less constraining duty cycle !Gobby, Yuan, andShields, 2004". Still, the plug-and-play configuration is animportant milestone in practical QKD: in particular, thefirst commercial QKD systems are based on it.34

III. SECRET KEY RATE

We have seen in Sec. II.B.4 that the secret key rate Kis the product of two terms +Eq. !6",, the raw key rate Rand the secret fraction r. This section is devoted to adetailed study of these two factors. Clearly, the latter isby far the more complex one, and most security studiesare devoted only to it; however, the raw key rate is cru-cial as well in practice and its proper description in-volves some subtleties as well. We therefore start withthis description.

A. Raw key rate

The raw key rate reads

R = >S Prob!Bob accepts" . !18"

The second factor depends both on the protocol and onthe hardware !losses and detectors" and will be studiedfor each specific case. The factor >S is the repetition rate.

In the case of pulsed sources >S is the repetition rateof the source of pulses. Of course, >S)>S

max, the maximalrepetition rate allowed by the source itself; but twoother limitations may become important in limitingcases, so that the correct expression reads

>Spulse = min!>S

max,1/,d4ttB=,1/Tdc" . !19"

We now explain what the two last terms mean.The first limitation is due to the dead time of the de-

tectors ,d. In fact, it is useless to send more light thancan actually be detected !worse, an excess of light mayeven give an advantage to Eve". One can require that atmost one photon is detected in an interval of time ,d; thedetection probability is Prob!Bob detects")4ttB= with4= /n$.1 the average number of photons produced bythe source, t the transmittivity of the quantum channel,tB the losses in Bob’s device, and = the efficiency of thedetector. Therefore, >S. !,d4ttB="#1. It is clear that thislimitation plays a role only at short distances: as soon asthere are enough losses in the channel, fewer photonswill arrive at Bob than can actually be detected.

The second limitation is associated with the existenceof a duty cycle: two pulses cannot be sent at a time in-terval smaller than a time Tdc determined by the setup.

32As a matter of fact, backscattering and the correspondingduty cycle could be avoided, but at the price of attenuating thepulses at Bob’s side. In turn, this implies that !i" a differentchannel should be used for synchronization and !ii" the maxi-mal operating distance is reduced in practice, especially if onetakes Trojan horse attacks into account !see below". Such asetup has been demonstrated !Bethune and Risk, 2000".

33The argument goes as follows: upon receiving Bob’s pulse,Alice attenuates it down to the desired intensity 4. Now, itturns out that a simple error by a factor of 2, i.e., sending out24 instead of 4, would spoil all security !see Sec. IV.B.4". Thisimplies that the intensity of the input pulse must be monitoredto a precision far better than this factor 2. This precision maybe hard to achieve at long distances, when Bob’s pulse hasalready been significantly attenuated by transmission.

34The configuration has also been used for continuous-variable coding !Legré, Zbinden, and Gisin, 2006", for adistributed-phase-reference protocol !Zhou et al., 2003", andfor noncryptographic quantum information tasks !Brainiset al., 2003".



The expression for Tdc depends on the details of thesetup. In plug-and-play configurations, for instance, onecannot send the next train of bright pulses before theweak signal of the earlier train has returned !Sec.II.H.2": the effect becomes important at long distance.Another example of a duty cycle is the one introducedby a stabilization scheme for one-way configurations, inwhich each coded signal is preceded by a strong refer-ence signal !Yuan and Shields, 2005". Note, finally, thatin any implementation with time-bin coding, the ad-vanced component of the next signal must not overlapwith the delayed component of the previous one.

In the case of heralded photon sources orentanglement-based schemes working in a continuous-wave !cw" regime it is reasonable to define >S as theaverage rate of Alice’s detections; thus35

>Scw = min!=AtA4!,1/,d

A,1/,dttB=,1/:t" . !20"

Here =AtA4! is the trigger rate with which Alice an-nounces the pair creations to Bob, with 4! the pair-generation rate of the source, tA is the overall transmit-tance of Alice’s part of the apparatus, and =A is theefficiency of Alice’s detectors. Of course, in practice thisrate is limited by the dead time of Alice’s detectors ,d

A.The whole repetition rate is limited by Bob’s detectordead time ,d and by the width of the coincidence win-dow :t !usually :t9,d".

B. Secret fraction

1. Classical information postprocessing

To extract a short secret key from the raw key, classi-cal postprocessing is required. This is the subject of thissection +for more details see Renner !2005" and VanAssche !2006",. The security bounds for the secret frac-tion crucially depend on how this step is performed.

a. One-way postprocessing

These are the most studied and best-known proce-dures. One of the partners, the one who is chosen tohold the reference raw key, sends classical informationthrough the public channel to the other one, who actsaccording to the established procedure on his data butnever gives feedback. If the sender in this procedure isthe same as the sender of the quantum states !Alice withour convention", one speaks of direct reconciliation; inthe other case, of reverse reconciliation. The optimalone-way postprocessing has been characterized and con-sists of two steps.

The first step is error correction !EC", also called in-formation reconciliation, at the end of which the lists ofsymbols of Alice and Bob have become shorter but per-fectly correlated. As proved by Shannon, the fraction of

perfectly correlated symbols that can be extracted froma list of partially correlated symbols is bounded by themutual information I!A :B"=H!A"+H!B"#H!AB",where H is the entropy of the probability distribution. Inthe context of one-way procedures with a sender S and areceiver R, it is natural to write I!A :B" in the apparentlyasymmetric form H!S"#H!S #R". This formula has an in-tuitive interpretation, if one remembers that the entropyis a measure of uncertainty: the sender must reveal anamount of information at least as large as the uncer-tainty the receiver has on the reference raw key.

The second step is privacy amplification !PA". Thisprocedure is aimed at destroying Eve’s knowledge of thereference raw key. Of course, Alice and Bob will havechosen as a reference raw key the one on which Eve hasthe smallest information: here is where the choice be-tween direct and reverse reconciliation becomesmeaningful.36 The fraction to be further removed cantherefore be written min!IEA ,IEB", where IE· is Eve’s in-formation about the raw key of Alice or Bob, which willbe defined more precisely in Sec. III.B.2 PA was firstmentioned by Bennett, Brassard, and Robert !1988", andthen established by Bennett et al. !1995". This referencehas been considered as valid for one decade but, afterthe notion of universally composable security was intro-duced !see Sec. II.C.2", it had to be replaced by a gener-alized version !Renner and König, 2005". Currently theonly PA procedure that works in a provable way is theone based on two-universal hash functions.37 Also, forcomposability, the protocol must be symmetric underpermutations; in particular, the pairs for the parameterestimation must be chosen at random, and the hashfunction has to be symmetric !as it is usually".

In summary, the expression for the secret fraction ex-tractable using one-way classical postprocessing reads

r = I!A:B" # min!IEA,IEB" . !21"

35The source is assumed to be safe at Alice’s side. It is sup-posed that Alice’s detectors are still “open” !not gated". Darkcounts and multipair contributions were neglected in the esti-mation of >S

cw.

36Note that, I!A :B" being symmetric, there is no differencebetween direct and reverse reconciliation at the level of EC, asexpected from the nature of the task.

37A set F of functions f :X!Z is called two-universal ifPr+f!x"= f!x!",)1/ #Z# for x#x! and f chosen at random withuniform probability. It is instructive to see why this definition ismeaningful for privacy amplification. After EC, Alice and Bobshare the same list of bits x; Eve has an estimate x! of this list.For PA, Alice chooses f from the two-universal set and an-nounces it publicly to Bob. Both Alice and Bob end up withthe shorter key z= f!x"; but the probability that Eve’s estimatez!= f!x!" coincides with z is roughly 1/ #Z#: Eve might as wellchoose randomly out of the set Z of possible final keys. Two-universal hash functions, e.g., in the form of matrix multiplica-tion, can be implemented efficiently !Carter and Wegman,1979; Wegman and Carter, 1981". The size of the matrices isproportional to the length N of the raw key. Against a classicaladversary, other extractors exist whose size grows only aslog N; but at currently, it is not known whether a similar con-struction exists in the case where the adversary is quantum!König and Renner, 2007".



b. Remarks on practical EC

As mentioned above, the performance of EC codes isbounded by Shannon’s mutual information. Practical ECcodes, however, do not reach the Shannon bound. For apriori theoretical estimates, it is fair to increase the num-ber of bits to be removed by 10–20 %; more preciseestimates are available !Lütkenhaus, 1999" but ulti-mately the performance must be evaluated on eachcode. We take this correction explicitly into account inSec. IV–VII.

In addition, most of the efficient EC codes that areactually implemented, e.g., CASCADE !Brassard and Sal-vail, 1994", use two-way communication. To fit thesetwo-way EC codes in the framework of one-way post-processing, one can give the position of the errors to Eveand treat all communication as one-way communicationby !Lütkenhaus, 1999". Alternatively, one can use en-cryption of the EC data, as suggested by Lütkenhaus!1999" and formally proved by Lo !2003".

Note finally that it is not necessary to estimate theerror rate with a small sample of the data: instead, theparties learn naturally the precise number of errors dur-ing the EC procedure.

c. Other forms of postprocessing

Bounds can be improved by two-way postprocessing,which refers to any possible procedure in which bothpartners are allowed to send information. Since its firstappearance in QKD !Gisin and Wolf, 1999; Chau, 2002;Gottesman and Lo, 2003", this possibility has been theobject of several studies.38 Contrary to the one-way case,the optimal procedure is still not known, basically be-cause of the complexity of taking feedback into account.

More recently, another way to improve bounds wasfound, called preprocessing: before postprocessing, thesender !for one way" or both partners !for two way" canadd locally some randomness to their data. Of course,this decreases the correlations between them, but it de-creases Eve’s information as well, and, remarkably, theoverall effect may be positive !Kraus, Gisin, and Renner,2005; Renner, Gisin, and Kraus, 2005".

Both preprocessing and two-way post-processing areeasy to implement and allow a secret key to be extractedin a parameter region where one-way postprocessingwould fail; in particular, the critical tolerable error rateis pushed much higher.39 To our knowledge though, they

have been implemented only once in real systems !Ma etal., 2006". The reason is that, in terms of secret key rate,an improvement can be appreciated only when the darkcounts become dominant,40 a regime in which few sys-tems tend to operate—see, however, Rosenberg et al.!2008", Tanaka et al. !2008", and Yuan et al. !2008".Therefore, in what follows, we present only bounds forone-way classical postprocessing without preprocessing.

2. Individual, collective, and coherent attacks

As stressed from the beginning !Sec. II.C.1", one aimsultimately at proving unconditional security, i.e., securitybounds in the case where Eve’s attack on the quantumchannel is not restricted. Such a lower bound for securitywas elusive for many years !Sec. II.A"; it has nowadaysbeen proved for many protocols, but is still missing forothers. In order to provide an ordered view of the past,as well as to keep ideas that may also be useful in thefuture, we discuss now several levels of security.

a. Individual (or incoherent) attacks

This family describes the most constrained attacksthat have been studied. They are characterized by thefollowing properties:

!I1" Eve attacks each of the systems going from Aliceto Bob independently of all others, using the samestrategy.41 This property is easily formalized in the EBscheme: the state of n symbols for Alice and Bob has theform (AB

n = !(AB"!n.!I2" Eve must measure her ancillas before the classical

postprocessing. This means that, at the beginning of theclassical postprocessing, Alice, Bob, and Eve share aproduct probability distribution of classical symbols.

In this case, the security bound for one-way postpro-cessing is the Csiszár-Körner bound, given by Eq. !21"with

IAE = maxEve

I!A:E" !individual attacks" , !22"

38We note that some of the security claims in the first paperdealing with advantage distillation !Gisin and Wolf, 1999" wereimprecise. These works have also had an intriguing offspring,the conjecture of the existence of “bound information” !Gisinand Wolf, 2000", later proved for three-partite distributions!Acín, Cirac, and Masanes, 2004".

39The order of magnitude of the improvements is roughly thesame for all examples that have been studied. Consider, e.g.,BB84 in a single-photon implementation and security againstthe most general attacks: the critical quantum bit error rate!QBER" for one-way postprocessing without preprocessing is11% !Shor and Preskill, 2000". Bitwise preprocessing brings

this value up to 12.4% !Kraus, Gisin, and Renner, 2005"; morecomplex preprocessing up to 12.9% !Smith, Renes, and Smo-lin, 2008". Two-way postprocessing can increase it significantlyfurther, at least up to 20.0%, but at the expenses of drasticallyreduced key rate !Chau, 2002; Gottesman and Lo, 2003; Baeand Acín, 2007". In weak-coherent-pulse implementations,preprocessing increases the critical distance of BB84 andSARG04 protocols by a few kilometers, for security to againstboth individual !Branciard et al., 2005" and most general at-tacks !Kraus, Branciard, and Renner, 2007".

40Recall that optical error is routinely kept far below 5%;therefore, the total error rate exceeds 110% when the error islargely due to the dark counts.

41We note here that this “same strategy” may be probabilistic!with probability p1, Eve does something; with probability p2,something else; etc.", provided the probabilities are fixed dur-ing the whole key exchange. From the standpoint of practicalQKD, an attack in which Eve would simply stop attacking fora while, belongs to the family of the most general attacks.



and of course similarly for IBE !Csiszár and Körner,1978". Here I!A :E" is the mutual information betweenthe classical symbols; the notation maxEve recalls thatone must maximize this mutual information over Eve’sstrategies. There is actually an ambiguity in the litera-ture as to the moment where Eve is forced to performher measurement: namely, whether she is forced tomeasure immediately after the interaction !Lütken-haus, 1996; Curty and Lütkenhaus, 2005; Bechmann-Pasquinucci, 2006" or whether she can keep the signalsin a quantum memory until the end of the sifting anderror correction phase !Fuchs et al., 1997; Bruß, 1998;Slutsky et al., 1998; Bechmann-Pasquinucci and Gisin,1999; Lütkenhaus, 1999; Brassard, Lütkenhaus, et al.,2000; Cerf et al., 2002; Herbauts et al., 2008". The firstcase is associated with the hardware assumption thatEve is restricted not to have a quantum memory.42 Thesecond case is associated with the hardware assumptionthat Eve cannot perform arbitrary coherent measure-ments and can be useful as a step on the way to uncon-ditional security proofs. However, we stress that thebound for collective attacks can nowadays be calculatedmore easily and gives more powerful results.43

An important subfamily of individual attacks are theintercept-resend !IR" attacks. As the name indicates,Eve intercepts the quantum signal flying from Alice toBob, performs a measurement on it, and, conditioned onthe result she obtains, she prepares a new quantum sig-nal that she sends to Bob. If performed identically on allitems, this is an individual attack. Moreover, it obviouslyrealizes an entanglement-breaking channel between Al-ice and Bob, thus providing an easily computed upperbound on the security of a protocol !Curty and Lütken-haus, 2005; Bechmann-Pasquinucci, 2006".

b. Collective attacks

This notion was first proposed by Biham, and co-workers, who proved the security of BB84 against themand conjectured that the same bound would hold for themost general attacks !Biham and Mor, 1997; Biham etal., 2005". Collective attacks are defined as follows:

!C1" The same as !I1".

!C2" Eve can keep her ancillas in a quantum memoryuntil the end of the classical postprocessing, and moregenerally until any later time convenient to her !for in-stance, if the key is used to encode a message, part ofwhich is vulnerable to plain-text attack, Eve may delayher measurement until she obtains the information com-ing from this attack". She can then perform the bestmeasurement compatible with what she knows. In gen-eral, this will be a collective measurement.

Only !C1" is an assumption on Eve’s power. The ge-neric bound for the secret key fraction achievable usingone-way postprocessing !Devetak-Winter bound" is givenby Eq. !21" with

IAE = maxEve

?!A:E" !collective attacks" , !23"

and IBE defined in the analogous way !Devetak andWinter, 2005". Here ?!A :E" is the so-called Holevoquantity !Holevo, 1973",

?!A:E" = S!(E" # (a

p!a"S!(E#a" , !24"

where S is von Neumann entropy, a is a symbol ofAlice’s classical alphabet distributed with probabilityp!a", (E#a is the corresponding state of Eve’s ancilla, and(E=(ap!a"(E#a is Eve’s partial state. The Holevo quan-tity bounds the capacity of a channel, in which a classicalvalue !here a" is encoded into a family of quantum states!here, (E#a": in this sense, it is the natural generalizationof the mutual information.

As mentioned, it is actually easier to compute Eq. !23"than Eq. !22". The reason lies in the optimization ofEve’s strategy. In fact, the Holevo quantity depends onlyon Eve’s states (E#a, that is, on the unitary operation withwhich she couples her ancilla to the system flying toBob. In contrast to that, the mutual information de-pends both on Eve’s states and on the best measurementthat Eve can perform to discriminate them, which can beconstructed only for very specific examples of the set ofstates !Helstrom, 1976".

c. General (or coherent) attacks

Eve’s most general strategy includes so many possiblevariations !she may entangle several systems flying fromAlice to Bob, she may modify her attack according tothe result of an intermediate measurement, etc." that itcannot be efficiently parametrized. A brute force opti-mization is therefore impossible. Nevertheless, as men-tioned, bounds for unconditional security have beenfound in many cases. In all these cases, it turns out thatthe bound is the same as for collective attacks. This re-sult calls for several comments.

First, this result has an intuitive justification. If thestate #%!Sn"$ that codes the sequence Sn has the tensorproduct form #&!s1"$ ! ¯ ! #&!sn"$, then the states pass-ing from Alice to Bob are uncorrelated in the quantumchannel; therefore Eve does not seem to have any ad-vantage in introducing artificial correlations at this

42Generalizing !Wang, 2001", it is conjectured that individualattacks should be optimal under the weaker assumption of aquantum memory that is bounded, either in capacity or in life-time; but only rougher bounds have been derived so far !Dam-gaard et al., 2005, 2007; König and Terhal, 2008".

43Currently there is still something that is known only forindividual attacks, and this is Eve’s full strategy; the optimalprocedures have been found both for the scenarios both with-out quantum memory !Lütkenhaus, 1996" and with it !Lütken-haus, 1999; Herbauts et al., 2008". On the contrary, the boundfor collective and coherent attacks is computed by optimizingthe Holevo bound over all possible interactions between thesignal and Eve’s ancillas !see below": one implicitly assumesthat suitable measurements and data processing exist, whichwill allow Eve to extract that amount of information. It wouldbe interesting to exhibit explicit procedures also for more gen-eral attacks.



point.44 However, correlations do appear later, duringthe classical postprocessing of the raw key, such that, infact, the final key is determined by the relations betweenthe symbols of the raw key, rather than by those symbolsthemselves. Thus, Eve must not try to guess the value ofeach symbol of the raw key, but rather some relationbetween them—and this is typically a situation in whichentanglement is powerful. This vision also clarifies whyunconditional security is still elusive for those protocolsfor which #%!Sn"$ is not of the tensor product form !seeSec. VI.A".

Second, for BB84, six-state, and other protocols, as-suming the squashing property of detectors !see Sec.IV.A.2", this result is a consequence of the internal sym-metries !Kraus, Gisin, and Renner, 2005; Renner, Gisin,and Kraus, 2005". The explicit calculations are given inAppendix A. In a more general framework, the sameconclusion can be reached by invoking the exponentialDe Finetti theorem !Renner, 2005, 2007". This theoremsays that, after some suitable symmetrization, the statis-tics of the raw key are never significantly different fromthose that would be obtained under constraint !I1". Thisis a powerful result, but again does not solve all theissues: for instance, because the actual exponentialbound depends on the dimension of the Hilbert space ofthe quantum signals, it cannot be applied to continuous-variable QKD !see, however, the “Note added” at theend of this paper". Also recall that we consider only theasymptotic bound: the finite-key bounds obtained by in-voking the De Finetti theorem are overpessimistic !Sca-rani and Renner, 2008".

3. Quantum side channels and zero-error attacks

The possibility of zero-error attacks seems to be atodds with the fundamental tenet of QKD, namely, thatEve must introduce modifications in the state as soon asshe obtains some information. However, there is no con-tradiction: for instance, in the presence of losses thequantum signal is also changed between the source andthe receiver. Even if in most protocols !see discussion inSec. I.B.3" losses do not lead to errors in the raw key,some information about the value of the coded symbolmay have leaked to Eve.

Losses are the most universal example of leakage ofinformation in a quantum side channel, i.e., in some de-gree of freedom other than the one that is monitored.We stress that the existence of side channels does notcompromise security, provided the corresponding at-tacks are taken into account in the privacy amplification.

A beam-splitting !BS" attack translates the fact thatthe light that is lost in the channel must be given to Eve:specifically, Eve could be simulating the losses by puttinga beam splitter just outside Alice’s laboratory, and thenforwarding the remaining photons to Bob on a lossless

line. The BS attack does not modify the optical modethat Bob receives: it is therefore always possible forlossy channels and does not introduce any error .45 Foran explicit computation of BS attacks, see Sec. VI.B.

When the signal can consist of more than one photon,Eve can count the number of photons in each signal andact differently according to the result n of this measure-ment. Such attacks are called photon-number splitting!PNS" attacks !Bennett, 1992; Du!ek, Haderka, andHendrych, 1999; Brassard, Lütkenhaus, et al., 2000; Lüt-kenhaus, 2000" and can be much more powerful than theBS attack. They were discovered as zero-error attacksagainst BB84 implemented with weak laser pulses; in thetypical parameter regime of QKD, even the Poissonianphoton-number distribution can be preserved !Lütken-haus and Jahma, 2002", so that the PNS attack cannot bedetected even in principle as long as one known signalintensity is used. Use of different intensities in order todetect PNS attacks is the idea behind the decoy-statesmethod !Hwang, 2003; Lo, Ma, and Chen, 2005; Wang,2005". The distributed-phase-reference protocols alsodetect PNS attacks !Inoue and Honjo, 2005; Stucki et al.,2005".

Finally, we mention the possibility of attacks based onunambiguous state discrimination !USD" followed by re-sending of a signal !Du!ek, Jahma, and Lütkenhaus,2000". These can be part of a PNS attack !Scarani, Acín,Ribordy, and Gisin, 2004" or can define attacks alone!Branciard et al., 2007; Curty et al., 2007"; they areclearly zero-error attacks and modify the photon-number statistics in general.

Of course, a quantum side channel may hide in anyimperfect component of the device !e.g., a polarizerwhich would also distort the wave function according tothe chosen polarization". The list of possibilities is un-bounded, whence the need for careful testing.46

4. Hacking attacks on practical QKD

In practical QKD, the security concerns are not lim-ited to the computation of security bounds for Eve’s ac-tion on the quantum channel. Any specific implementa-tion must be checked against hacking attacks andclassical leakage of information.

Hacking attacks are related to the weaknesses of animplementation. A first common feature of hacking at-tacks is that they are feasible, or almost feasible, withpresent-day technology. The best-known example is thefamily of Trojan horse attacks, in which Eve probes thesettings of Alice’s and/or Bob’s devices by sending somelight into them and collecting the reflected signal !Vakhi-tov, Makarov, and Hjelme, 2001". Actually, the first kindof hacking attack that was considered is a form of Trojan

44Of course, one is not saying that Eve does satisfy !I1": Evecan do whatever she wants; but there exists an attack thatsatisfies !I1" and that performs as well as the best possibleattack.

45For some sources, this attack simply does not give Eve anyinformation: for a perfect single-photon source, if the photongoes to Eve, nothing goes to Bob, and vice versa.

46Some very specific protocols and the corresponding securityproofs can be made robust against such imperfections !Acín etal., 2007".



horse that would come for free: it was noticed that somephoton counters !silicon-based avalanche photodiodes"emit some light at various wavelengths when they detecta photon !Kurtsiefer et al., 2001". If this light carriessome information about which detector has fired, it mustbe prevented from propagating out, where Eve coulddetect it. In these two examples, one also sees the sec-ond common feature of all hacking attacks, namely, thatonce they have been noticed, they can be countered byadding some component. In all setups where light goesonly one way !out of Alice’s and into Bob’s laboratory",the solution against Trojan horse attacks consists in sim-ply using an optical isolator; in implementations wherelight must go both ways !typically, the plug-and-play set-ups", the solution is provided by an additional monitor-ing detector !Gisin et al., 2006".

Apart from Trojan horses, other hacking attacks havebeen invented to exploit potential weaknesses of specificimplementations, e.g., faked state attacks !Makarov andHjelme, 2005; Makarov et al., 2006; Makarov and Skaar,2008", phase-remapping attacks !Fung et al., 2007", andtime-shift attacks !Qi, Fung, et al., 2007; Zhao, Fung, etal., 2007".It has also been noticed that a too precise tim-ing disclosed in the Alice-Bob synchronization protocolmay give information about which detector actually fired!Lamas-Linares and Kurtsiefer, 2007".

5. A crutch: The uncalibrated-device scenario

As we have stressed, the errors and losses in the quan-tum channel must be attributed to Eve’s intervention.But in a real experiment, there are errors and losses alsoinside the devices of the authorized partners. In particu-lar, the detectors have finite efficiency !losses" and darkcounts !errors"; these values are known to the autho-rized partners, through calibration of their devices. Asecurity proof should take this fact into account.

The task of integrating this knowledge into securityproofs, however, has proved harder than one mightthink. In general, the naive approach, consisting in tak-ing an attack and removing the device imperfectionsfrom the parameters used in privacy amplification, givesonly an upper bound, even at the level of individualattacks.47 In particular, unconditional security proofs,

whenever available, have been provided only under theassumption that all the losses and all the errors are at-tributed to Eve and must therefore be taken into ac-count in privacy amplification. We refer to this assump-tion as to the uncalibrated-device scenario, because itimplies that Alice and Bob have no means of distin-guishing the losses and errors of their devices from thoseoriginating in the channel.48 These issues have beenraised in a nonuniform way in the literature. Most of thediscussions have taken place for discrete-variable proto-cols; the security studies of distributed-phase-referenceprotocols are in too early a stage, but will surely have toaddress the question. The case of CV QKD may provedifferent because of the difference in the detection pro-cess !homodyne detection instead of photon counting".

Currently the uncalibrated-device scenario is still anecessary condition to derive lower bounds. In the fol-lowing sections, we work with this scenario. In Sec. IV.Cand VII.B.2, we compare the best available lowerbounds with the upper bounds obtained with a naiveapproach to calibrated devices: we show that in somecases the two bounds coincide for every practical pur-pose. In Sec. VIII.A.2, we summarize the status of thisopen problem.

IV. DISCRETE-VARIABLE PROTOCOLS

A. Generic assumptions and tools

As argued in Sec. III.B.5, in order to present lowerbounds as they are available today, we work systemati-cally in the uncalibrated-device scenario; Sec. IV.C willpresent the derivation of an upper bound for calibrateddevices.

1. Photon-number statistics

We suppose that each signal is represented by a diag-onal state in the photon-number basis, or, in otherwords, that there is no phase reference available and nocoherence between successive signals.49 Thus, Alice’ssource can be described as sending out a pulse that con-tains n photons with probability pA!n"; Eve can learn nwithout modifying the state, so this step is indeed part of

47Consider a PNS attack !Sec. III.B.3" on BB84 implementedwith weak coherent pulses, and focus on the pulses for whichEve has n=2 photons. The obvious PNS attack consists in Evekeeping one photon in a quantum memory and sending theother one to Bob because in this case she obtains full informa-tion and introduces no error. But there is no information onnondetected photons: in particular, if Eve cannot control thelosses in Bob’s apparatus, tB, and the detector efficiency =, herinformation rate on such events will be I2!1+1= tB=. Now, con-sider another strategy: Eve applies a quantum cloner 2!3,keeps one photon, and sends the other two to Bob. Since noperfect cloning is possible, this introduces an error +2 on Bob’sside, and Eve’s information on each detected bit is I!+2"#1.But Eve’s information rate is I2!2+1= +1# !1# tB="2,I!+2")2tB=I!+2" and can therefore become larger than I2!1+1. Thefull analysis must be done carefully, taking into account the

observed total error rate; in the family of individual attacks,the cloning strategy performs better than for typical values oftB= !Curty and Lütkenhaus, 2004; Niederberger, Scarani, andGisin, 2005". Note that there is no claim of optimality in thisexample: another attack may be found that performs stillbetter.

48The name uncalibrated-device scenario is proposed here forthe first time. In the literature, the assumption used to benamed the untrusted-device scenario; but this name is clearlyinadequate !see Sec. II.C.1 for the elements that must alwaysbe trusted in a QKD setup, and Sec. VIII.A.3 for those thatmay not be trusted in some very specific protocols".

49In some cases such as plug-and-play implementations, therandomization of the phase should in principle be ensured ac-tively !Gisin et al., 2006; Zhao, Qi, and Lo, 2008".



the optimal collective attack !Eve may always choosenot to take advantage of this information".

The statistical parameters that describe a key ex-change are basically detection rates and error rates.50

Here are the main notations: R, total detection rate; Rn,detection rate for the events when Alice sent n photons!(nRn=R"; Yn=Rn /R a convenient notation !(nYn=1";Rn

w wrong counts among the Rn; +n=Rnw /Rn the error

rate on the n photon signals; and Q=(nYn+n the totalerror rate !QBER". Concerning photon statistics onBob’s side, it is important to notice the following. If thechannel introduces random losses, the photons that en-ter Bob’s device are distributed according to pB

t !k"=(n@kpA!n"Cn

ktk!1# t"n#k, where Cnk=k! /n!!n#k"! is the

binomial factor; one could compute Rn from this valueand the details of the protocol. However, Eve can adapther strategy to the value of n, so the photon-numberstatistics pB!k" on Bob’s side may be completely differ-ent from pB

t !k" !Lütkenhaus and Jahma, 2002".

2. Qubits and modes

Many, although not all, security proofs can be ob-tained by finding qubit protocols in the optical imple-mentations that work with optical modes.

a. Sources: Tagging

On the source side, this can be done with “tagging,”by assuming that all multiphoton signals !with respect tothe total signal" becoming fully known to an eavesdrop-per. This leaves us effectively with qubits, using singlephotons and the coding degree of freedom, for example,polarization or relative phase between two modes. Thismethod has been used by Lütkenhaus !2000" and In-amori, Lütkenhaus, and Mayers !2007", but the term tag-ging was introduced only by Gottesman, Lo, Lütken-haus, and Preskill !2004". Note that security proofs canbe made without this assumption, e.g., in the case of theSARG protocol.

b. Detectors: Squashing

Detectors act on optical modes, and typically thresh-old detectors are used that cannot resolve the incomingphoton number. Some security proofs !Mayers, 1996,2001; Koashi, 2006a" can deal directly with this situation.In other security proofs one has to search through allpossible photon numbers of arriving signals to provethat it is Eve’s optimal strategy to send preferentiallysingle photons to Bob !Lütkenhaus, 1999". It was real-ized there that double clicks in detection devices, result-ing from multiphoton signals or dark counts, cannot besimply ignored, as this would open up a security

loophole.51 As a countermeasure, Lütkenhaus !1999,2000" introduced the concept of assigning double clicksat random to the values corresponding to single-clickevents.

The concept of squashing, originally introduced in acontinuous-variable context !Gottesman and Preskill2001", was coined by Gottesman, Lo, Lütkenhaus, andPreskill !2004", where it is assumed that the detectiondevice can be described by a two-step process: in a firststep, the optical signal is mapped !squashed" into asingle photon !qubit", and then the ideal measurement inthe qubit description is performed. Only recently has itbeen shown that a squashing model actually exists forthe BB84 protocol !Beaudry, Moroder, and Lütkenhaus,2008a; Tsurumaru and Tamaki, 2008" with the given as-signment of double clicks to random single detectorclicks. Actually, Beaudry, Moroder, and Lütkenhaus!2008a", developed squashing maps for different detec-tor setups, including the implementation of passive basischoice in the BB84 protocols via a beam splitter. Notethat the existence of a squashing model should not betaken for granted, as, for example, the six-state protocoldoes not admit a squashing model. However, a six-stateprotocol measurement with a passive basis choice via alinear optics array admits a squashing model for suitableassignment of multiclicks. !Beaudry et al., 2008b".

It is not necessary to find a squashing model to provesecurity, but it is certainly an elegant shortcut, as nowthe combination of tagging in the source and squashingin the detector allows a reduction of the security analysisof QKD to qubit protocols. For the remainder of thisreview, however, we adopt the squashing model view.

3. Secret key rate

The bound for the secret fraction is Eq. !21". In thecase of the protocols under study, H!A"=H!B"=1 andH!A#B"=H!B#A"=h!Q", where h is binary entropy andQ is the QBER. Therefore I!A :B"=1#h!Q". However,we want to provide formulas that take imperfect errorcorrection into account. Therefore we use

K = R+1 # leakEC!Q" # IE, !25"

with leakEC!Q"@h!Q" and IE=min!IAE ,IBE". We studythis last term. Eve gains information only on the non-empty pulses, and provided Bob detects the photon shehas forwarded. Since, due to the squashing model, theexponential De Finetti theorem applies to discrete-variable protocols !see discussion in Sec. III.B.2", andsince the optimal collective attack includes the measure-

50We assume that these parameters are independent of Bob’smeasurements, either because they are really measured to bethe same for all bases !a reasonable case in practice", or be-cause, after the sifting procedure, Alice and Bob forget fromwhich measurement each bit was derived and work with aver-age values.

51A simple attack exploiting this loophole goes as follows:Eve performs an intercept-resend attack and resends a pulsecontaining a large number of photons in the detected polariza-tion. If Bob measures in the same basis as Eve, he will receivea single detector click, about which Eve has full information. IfBob measures in a different basis, he will almost always re-ceive double clicks, which he discards. Therefore Eve has per-fect information about all signals retained by Eve, allowing herto break the QKD scheme.



ment of the number of photons, the generic structure forEve’s information reads52

IE = maxEve

(n

YnIE,n, !26"

where the maximum is to be taken on all Eve’s attackscompatible with the measured parameters.

B. BB84 coding: Lower bounds

In the BB84 coding, the probability that Bob acceptsan item depends only on the fact that he has used thesame basis as Alice, which happens with probability psift.Therefore, writing >S=>Spsift, we have

Rn = >SpA!n"fn, !27"

where fn is the probability that Eve forwards some signalto Bob for n-photon pulses. Eve’s attack must be opti-mized over the possible &fn'n@0 compatible with (nRn=R. Now we consider different implementations of thiscoding.

1. Prepare-and-measure: Generalities

In P&M BB84, IAE=IBE. On the events when Alicesends no photons !n=0" but Bob has a detection, theintuitive result IE,0=0 !Lo, 2005" has indeed been proved!Koashi, 2006b". On the single-photon pulses, Eve cangain information only at the expense of introducing anerror +1; the maximal information that she can obtain inthis way is IE,1=h!+1", where h is the binary entropy!Shor and Preskill, 2000". A possible demonstration ofthis well-known result is given in Appendix A. For mul-tiphoton pulses, the best attack is the PNS attack inwhich Eve forwards one photon to Bob and keeps theothers: i.e., for n@2, +n=0, and IE,n=1 !Gottesman, Lo,Lütkenhaus, and Preskill, 2004; Fung, Tamaki, and Lo,2006; Kraus, Branciard, and Renner, 2007". ThereforeEq. !26" becomes

IE = maxEve

+Y1h!+1" + !1 # Y0 # Y1",

= 1 # minEve

&Y0 + Y1+1 # h!+1",' . !28"

2. P&M without decoy states

In P&M schemes without decoy states, the only mea-sured parameters are R and Q. We have to assume+n@2=0; therefore we obtain +1=Q /Y1. From this and

Eq. !28", we see53 that Eve’s optimal attack compatiblewith the measured parameters is the one which mini-mizes Y1, a situation which is obviously achieved by set-ting f0=0 and fn@2=1. One finds then

Y1 = 1 # !>S/R"pA!n@ 2" . !29"

As a conclusion, for BB84 in a P&M scheme withoutdecoy states, the quantity to be subtracted in PA is

IE = 1 # Y1+1 # h!Q/Y1", . !30"

The corresponding achievable secret key rate !25" is

K = R&Y1+1 # h!Q/Y1", # leakEC!Q"' , !31"

where Y1 is given in Eq. !29". As expected, K containsonly quantities that are known either from calibration orfrom the parameter estimation of the protocol !R ,Q".

3. P&M with decoy states

The idea of decoy states is simple and deep. Alicechanges the nature of the quantum signal at random dur-ing the protocol; at the end of the quantum signal ex-change, she will reveal which state she sent in each run.Thus, Eve cannot adapt her attack to Alice’s state, but inthe postprocessing Alice and Bob can estimate their pa-rameters conditioned on that knowledge. The first pro-posal using one- and two-photon signals !Hwang, 2003"was rapidly modified to the more realistic implementa-tion in which Alice modulates the intensity of the laser!Lo, Ma, and Chen, 2005; Wang, 2005". As mentioned,several experiments have already been performed !Maet al., 2006; Zhao et al., 2006; Peng et al., 2007; Rosen-berg et al., 2007; Yuan, Sharpe, and Shields, 2007", morerecently even including finite-key effects !Hasegawa etal., 2007".

Let 8 be some tunable parameter!s" in the source, thetypical example being 8=4, the intensity !mean photonnumber" of a laser. Alice changes the value of 8 ran-domly from one pulse to the other; at the end of theexchange of quantum signals, Alice reveals the list ofvalues of 8!X, and the data are sorted in order to esti-mate the parameters separately for each value. With thissimple method, Alice and Bob measure 2#X# parameters,namely, the R8 and the Q8.

The set X is publicly known as part of the protocol,but if #X#-1, Eve cannot adapt her strategy to the actualvalue of 8 in each pulse because she does not know it.Therefore, fn and +n are independent of 8; in particular,Rn8 = >SpA!n #8"fn. The measured parameters

R8 = (n@0

Rn8 and Q8 = (

n@0!Rn

8 /R8"+n !32"

define a linear system with 2#X# equations for fn and +n.The optimization in Eq. !28" must then be performedusing the lower bound for Y1

8 and the upper bound for +1as obtained from the measured quantities &R8 ,Q8'8!X

52More explicitly, this formula should read IE=min!IAE ,IBE"with IAE=maxEve(nYnIAE,n and similarly for IBE. In the devel-opment of QKD, this formula was derived first for BB84 !Got-tesman, Lo, Lütkenhaus, and Preskill, 2004", then for SARG04!Fung, Tamaki, and Lo, 2006", and then generalized to alldiscrete-variable protocols !Kraus, Branciard, and Renner,2007".

53First proved by Inamori, Lütkenhaus, and Mayers !2007" inthe context of unconditional security.



!Tsurumaru, Soujaeff, and Takeuchi, 2008". In practice,the meaningful contributions are typically the n=0,1 ,2terms, and a decoy-state protocol with #X#=3 comes veryclose to an exact determination !Hayashi, 2007b". Forsimplicity, here we suppose that all fn and +n have beendetermined exactly.54 Also, we consider a protocol inwhich the classical postprocessing that extracts a key isdone separately on the data that correspond to different8. For each 8, the quantity to be subtracted in PA is55

IE8 = 1 # Y0

8 # Y18+1 # h!+1", !33"

with Y0,18 =R0,1

8 /R8, and the corresponding achievable se-cret key rate is

K8 = R8&Y08 + Y1

8+1 # h!+1", # leakEC!Q8"' . !34"

The total secret key rate is K=(8!K8, where the sum is

taken on all values of 8 such that K8@0. If the classicalpostprocessing were done on the whole raw key, the to-tal secret key rate would read K=R+1# leakEC!Q",#(8R8IE

8 . The two expressions coincide if there exists a 8that is used almost always.

4. P&M: Analytical estimates

Alice and Bob can optimize K by playing with theparameters of the source, typically the intensity. A rig-orous optimization can be done only numerically. In thissection, we rederive some often-quoted results for P&Mimplementations of BB84. For this a priori estimate, onehas to assume that some “typical” values for Rn and Qnwill be observed. As stressed above, security must bebased on the actually measured values: what followsprovides only guidelines to start working with the cor-rect orders of magnitude. Here we chose to work in aregime in which the rate of detection of true photonsis much larger than the dark count rate. For simplicity,we also assume optimal error correction, so thatleakEC!Q"=h!Q".

The reference case is the case of single-photonsources, for which the meaningful scheme is P&M with-out decoy states. For this source, pA!1"=1 and thereforeY1=1; the expected detection rate is R= >SttB=, and Eq.!31" yields immediately

K ) >SttB=+1 # 2h!Q", !single photon" . !35"

As expected, K scales linearly with the losses in the lineand the efficiency of the detector.

The most widespread sources in P&M schemes areattenuated lasers. The estimate can be made by consid-ering only the single-photon and two-photon emissions:pA!1"=4e#4 and pA!2"=42e#4 /2. The expected detectionrate is R= >S4ttB=. The important feature that is absentin the study of single-photon sources is the existence of

an optimal value for the intensity 4, a compromise be-tween a large R and a small pA!2". We focus first onimplementations without decoy states. We can setpA!1")4 and pA!2")42 /2, but still the optimal value of4 cannot be estimated exactly in general, because Y1=1#4 /2ttB= depends on 4 and appears in a nonalge-braic function. We then consider first the limiting caseQ=0: Eq. !31" becomes K / >S)4ttB=#42 /2, whosemaximal value is 1

2 !ttB="2, obtained for 40= ttB= !Lüt-kenhaus, 2000". To obtain estimates for the Q-0 case,we can make the approximation of using 40 to computeY1, i.e., to set Y1= 1

2 . Then, the optimization of Eq. !31"is also immediate: writing F!Q"=1#h!2Q"#h!Q", thehighest achievable secret key rate is

K/>SttB=) 124optF!Q" !laser, no decoy" !36"

obtained for the optimal mean photon number

4opt ) ttB=F!Q"/+1 # h!2Q", . !37"

We now perform the estimate for an implementationusing decoy states. The decoy consists in varying theintensity of the laser from one pulse to another so thatthe general parameter 8 is in fact 4. We suppose that agiven value 4 is used almost always !and this one wewant to optimize", while sufficiently many decoy valuesare used in order to provide a full parameter estimation.The expected values are R4= >S4ttB=, R1

4= >S4e#4ttB=,and +1=Q. Inserted into Eq. !34", one obtains K) >S4ttB=&e#4+1#h!Q",#h!Q"'; using e#4)1#4, this ex-pression reaches the maximal value

K/>SttB=) 124opt+1 # 2h!Q", !laser, decoy" !38"

for the optimal mean photon number

4opt )1221 #

h!Q"1 # h!Q"3 . !39"

We now summarize. Without decoy states, 4opt1 t andconsequently KA t2: the larger the losses, the more at-tenuated must the laser be. The reason are PNS attacks:Alice must ensure that Eve cannot reproduce the detec-tion rate at Bob’s using only photons that come fromtwo-photon pulses !on which she has full information".With decoy states, one can determine the fraction of de-tections that involve photons coming from two-photonpulses; if this fraction is as low as expected, one canexclude a PNS attack by Eve—as a benefit, the linearscaling KA t is recovered. This is the same scaling ob-tained with single-photon sources, with the obvious ben-efit that lasers are much more versatile and well devel-oped than strongly sub-Poissonian sources. Anotherinteresting remark is that, both with and without decoystates, 4opt)

124crit, where the critical value 4crit is de-

fined as the one for which K)0. In other words, anintensity double the optimal one is already enough tospoil all security. In implementations without decoystates, where 4 decreases with increasing t, this calibra-tion may be critical at long distances.

54As a side remark, one might find +n@2-0, but this does notmodify the discussion in Sec. IV.B.1 about the optimal attack.Indeed, Eve might have performed the attack that gives +n@2=0 and then added some errors “for free.”

55Note the presence of Y08 in the next two equations.



5. Entanglement based

If Alice holds the down-conversion source, as is thecase in almost all EB QKD experiments performed todate,56 an EB scheme is equivalent to a P&M one !seeSec. II.B.2" so the corresponding security proofs couldbe applied. The only specific difference to address con-cerns the events in which more than one pair is pro-duced inside a coincidence window. As described in Sec.II.E.3, two kinds of such contributions exist and Eve isable to distinguish between them.

• A fraction of the multipair events contain partial cor-relations in the degrees of freedom used for symbolencoding; thus, Eve can obtain information on thekey bit by some form of PNS attack. This situation issimilar to the multiphoton case in P&M schemes, al-though here it is difficult to determine exactly theamount of information that leaks out. To be on thesafe side we suppose that Eve can obtain full infor-mation without introducing any errors.

• The other, usually much larger, fraction of multipairevents consists of independent uncorrelated pairs. Inthis case Eve cannot obtain any information aboutBob’s symbol using the PNS attack. She can only ap-ply the “standard” single-particle attack. We supposethat Eve can somehow find out which one of multiplepairs was selected by Alice’s detector, so we treat allsuch multipair contributions as if they were singlepairs.

Therefore Eq. !28" is replaced by

IE ) Ym! + Y1!h!Q/Y1!" , !40"

where Y1! is the fraction of single-pair plus uncorrelatedmultipair events and Ym! is the fraction of multipairevents that are !partially" correlated in the degree offreedom in which the information is encoded. Explicitly,

Ym! = pA!n@ 2">S;

R!41"

with ; the ratio of the number of partially correlatedmultipair contributions to all multipair contributions!see Sec. II.E.3". In total Ym! +Y1!=1. Finally, the achiev-able secret key rate reads

K = R&Y1!+1 # h!Q/Y1!", # leakEC!Q"' . !42"

Recall that these formulas apply to implementations inwhich the source is safe on Alice’s side. Notice also thattwo different sorts of multipair contribution are consid-ered and for each of them a different eavesdroppingstrategy is assumed. However, in reality there is asmooth transition between correlated and uncorrelatedpairs. All multipair events that exhibit non-negligible

correlations must be counted as correlated.Recently security has also been demonstrated for EB

systems, in which the source is under Eve’s control !Ma,Fung, and Lo, 2007". They describe the conditions underwhich the whole object “Eve’s state preparation and Al-ice’s measurement” behaves like an uncharacterizedsource in the sense of Koashi and Preskill !2003". Alicehas a box where she can dial a basis and she gets aninformation bit from her box indicating which signal !0or 1" was sent. Whatever state Eve prepares, when sheputs one part into Alice’s box and Alice chooses a mea-surement, then the average density matrix outside thisbox is independent of this choice !assuming that the no-click event probability is basis independent".57 On Al-ice’s side no Hilbert space argument is needed, but onBob’s side the squashing property of the detection is re-quired !see Sec. IV.A.2". The formula for the achievablesecret key rate then reads

K = R+1 # h!Q" # leakEC!Q", . !43"

Formally, this is the same as obtained in a P&M schemeusing single photons +Eq. !31" with Y1=1,. As such, it isa remarkable result: it states that, under the assumptionslisted above, all deviations from a perfect two-photonsource—in particular, the presence of multiphotoncomponents—are taken care of by measuring the errorrate Q !Koashi and Preskill, 2003". In addition, it hasbeen found that the EB QKD can tolerate higher lossesif the source is placed in the middle between Alice andBob rather than if it is on Alice’s side !Waks, Zeevi, andYamamoto, 2002; Ma, Fung, and Lo, 2007".

Finally, we note that very recently another proof ofthe security of entanglement-based systems with real de-tectors was proposed, which does not rely on the squash-ing property but rather on the measurement of thedouble-click rate !Koashi et al., 2008".

C. BB84 coding: Upper bounds incorporating the calibrationof the devices

As explained in Sec. III.B.5, the bounds for uncondi-tional security are always found for the uncalibrated-device scenario, which is overly pessimistic. It is instruc-tive to present some upper bounds that take thecalibration of the devices into account: the comparisonbetween these and the lower bounds will determine the“realm of hope,” i.e., the range in which improvementson K may yet be found. Clearly, the contributionleakEC!Q" of error correction is independent of the sce-nario: one has to correct for all errors, whatever theirorigin. The difference appears in the quantity to be re-moved in privacy amplification.

56We are aware of a single case in which the source was in themiddle !Erven et al., 2008". As discussed below in this section,security proofs have been provided also for this situation.

57This is clearly true for an active basis choice. In the case ofpassive basis selection some additional assumptions on the de-tection may be necessary.



1. Statistical parameters

In order to single out the parameters of the devices,one has first to recast the general notations !Sec. IV.A.1"in a more elaborated form. The detection rates must beexplicitly written as

Rn = Rn,p + Rn,d, !44"

where Rn,p is the contribution of detections and Rn,d isthe contribution of dark counts. Since Eve can act onlyon the first part, it is convenient to redefine Yn=Rn,p /Rso that (nYn-Y#1. The errors on the line +n are intro-duced only on the photon contribution, while the darkcounts always give an error rate of 1

2 ; therefore the totalerror is

Q = Y+ + B , !45"

where +=(n@1!Yn /Y"+n and B= !1#Y" /2.Note that the content of this section is not specific to

the BB84 protocol; but all that follows is.

2. Upper bounds

To derive an upper bound, we use a simple recipe,which consists in following closely the calculations of theprevious section !Sec. IV.B" and making the necessarymodifications, although this is known to be suboptimaland no squashing model is known in this situation tojustify the assumption. In particular, Eve is still supposedto forward to Bob at most one photon, although this isknown to be suboptimal. Therefore

Rn,p = >SpA!n"fntB= , !46"

Rn,d = >SpA!n"!1 # fntB="2pd, !47"

where pd is the dark count rate. Note the presence of tB=in these formulas: the detector efficiency has not beenincorporated into fn. Extracting fntB= from these equa-tions, one finds

Y = !1 # 2pd>S/R"/!1 # 2pd" , !48"

which means that the ratio between detections and darkcounts depends only on the total detection rate R. Also,for our simple recipe, it is immediate that the modifica-tion of the general expression !28" reads

IE = maxEve

+Y1h!+1" + !Y # Y1",

= Y # minEve

Y1+1 # h!+1", . !49"

We restrict the discussion now to the P&M schemes.In the implementation with decoy states, Yn and +n areknown, so the only difference from the uncalibrated-device formula !34" is the role of the dark counts,

K8 = R8&Y18+1 # h!+1", + 2B8 # leakEC!Q8"' , !50"

where Y0 is replaced by the slightly larger term58 2B8

=1#Y8. Things are different for the implementation

without decoy states, because now Y1 and +1 are notdirectly measured; only R and Q are. Since we are sup-posing that the optimal strategy is still such that +n@2=0 and fn@2=1, we have

Y1 = Y # tB=>S

RpA!n@ 2" and +1 =

Q # BY1

. !51"

Note that Y1 can be significantly larger than in theuncalibrated-device scenario +Eq. !29",: in fact, althoughY is slightly smaller than 1, the term to be subtracted ismultiplied by tB=. This difference is specifically due tothe fact that Eve is not supposed to influence the effi-ciency of the detector. Finally, one obtains

K = R&Y1+1 # h!+1", + 2B # leakEC!Q"' !52"

with Eq. !51" and 2B=1#Y.

D. Bounds for the SARG04 coding

We sketch here the analysis of the SARG04 protocolbecause it contains a certain number of instructive dif-ferences with respect to BB84. We note that >S=>S /2because Bob must always choose the bases with prob-ability 1

2 , even if Alice almost always uses the same set ofstates. The raw key rates are different from those ofBB84. For definiteness, suppose that Alice sends #+x$ sothe bit is accepted if Bob finds 0. If Bob measures X, heaccepts the bit only if he obtains 0, but this can only bedue to an error. We write Rn

w= >SpA!n"fn+n, where therelation of +n to the induced error rate +n will be com-puted below. If Bob measures Y, he gets 0 in half of thecases59 and the bit value is correct. As a result,

Rn = >SpA!n"fn! 12 + +n" . !53"

We see that the detection rate increases in the presenceof errors, in contract to the situation in BB84, where thedetection rate is determined only by psift. The error rateis

+n = +n4212

+ +n3; !54"

for a given perturbation +n in the quantum channel, theerror introduced in SARG04 is roughly twice the error+n= +n that would be introduced in BB84.

The protocol can be analyzed following the same pat-tern as the one presented for BB84. Here we review themain results.

58In the notation here the previous Y0 would read R0 /R=R0,d /R; while 2B=(n@0Rn,d /R. Note that, strictly speaking,

R0=R0,d is an assumption: a priori one can imagine that Evecreates some photons to send to Bob also when Alice is send-ing no photons—but we do not consider here such a highlyartificial situation.

59This statement contains an assumption about Eve’s attack,namely, Tr+/y(!±x",=0, where (!±x" is the state received byBob after Eve’s intervention, when Alice has sent #±x$. But theresult holds in general for the average detection rate, if Aliceprepares all four states with equal probability.



• SARG04 was invented as a method to reduce theeffect of PNS attacks, taking advantage of the factthat Eve cannot extract full information from thetwo-photon pulses !Acín, Gisin, and Scarani, 2004;Scarani, Acín, Ribordy, and Gisin, 2004". This initialintuition has been confirmed by all subsequent, morerigorous studies. In particular, it was proved that afraction of the fully secure secret key can be ex-tracted from the two-photon pulses !Tamaki and Lo,2006", and that in implementations using weak coher-ent lasers and without decoy states, for a small errorrate, SARG04 indeed performs better than BB84and shows a scaling 1t3/2 as a function of the distance!Branciard et al., 2005; Koashi, 2005; Kraus, Bran-ciard, and Renner, 2007". In the literature one findsthe claim that, when implemented with decoy states,SARG04 performs worse than BB84 !Fung, Tamaki,and Lo, 2006; Kraus, Branciard, and Renner, 2007".This must be properly understood: decoy states are amethod to gain additional knowledge about Eve’s at-tack. If this method does not reveal any PNS attack!as will be the case in most experiments becauselosses appear random and therefore Eve is acting asa beam splitter", indeed the BB84 rate is better thanthat of SARG04. However, if Eve is actually per-forming a PNS attack, SARG04 will of course bemore robust, consistently with what we wrote in theprevious item.

• An interesting case arises if one considers implemen-tations with single-photon sources. The first uncondi-tional security bound yielded that the SARG04 pro-tocol tolerates a smaller QBER than BB84 !Tamakiand Lo, 2006". But this bound was improved shortlythereafter: the optimal IE,1, which is not known ana-lytically but can easily be computed numerically,goes to zero for +1)11.67% !Kraus, Branciard, andRenner, 2007". This improved value is slightly betterthan the corresponding value for BB84, +1)11.0%:it seems therefore that SARG04 would perform bet-ter than BB84 in a single-photon implementationalso. The picture is different, however, if one relatesthe error rate to parameter of the channel, typicallythe visibility of interference fringes: this parameter isrelated to the ones introduced here through +1˜ = !1#V" /2. For BB84, +1˜ =+1 and consequently the criti-cal visibility is V)78%; while for SARG04, becauseof Eq. !54", the critical visibility is worse, namely, V)87%.

V. CONTINUOUS-VARIABLE PROTOCOLS

A. Status of security proofs

In the case of Gaussian modulation, security has beenproved against collective attacks !García-Patrón andCerf, 2006; Navascués, Grosshans, and Acín, 2006". We

present this bound below !Sec. V.B" and use it for com-parison with the other platforms !Sec. VII". There issome hope that the same bound would also hold for themost general attack, as it is the case for discrete-variablesystems: in particular, we note that the “intuitive” reasonbehind that equivalence !Sec. III.B.2" would apply alsoto CV protocols. Unfortunately, the exponential DeFinetti bound !Renner, 2007" does not help because itexplicitly depends on the dimension of the quantum sig-nals. For more on this issue, see the “Note added” at theend of this paper.

In the case of discrete modulation, the security statusis even less advanced. Technically, the difficulty lies inthe fact that the raw key is made up of discrete variablesfor Alice, while Bob has a string of real numbers. A fullanalysis has been possible only in the case where thequantum channel does not add excess noise to the sig-nal, so that the observed conditional variances still de-scribe minimum-uncertainty states. In this case, theeavesdropper’s attack is always describable as a general-ized beam-splitting attack, simulating the observed loss.The corresponding key rates depend on the classicalcommunication protocols chosen !with or without post-selection of data, in reverse or direct reconciliation"; thebest-known protocol involves a combination of postse-lection and reverse reconciliation, especially when theerror-correction algorithms work away from theasymptotic Shannon efficiency !Heid and Lütkenhaus,2006". In the presence of excess noise, the formula forthe key rate is the object of ongoing research; it has atleast been possible to derive entanglement witnesses!Rigas, Gühne, and Lütkenhaus, 2006". Entanglementverification has been performed and has shown that ex-cess noise in typical installations does not wipe out thequantum correlation within the experimentally acces-sible domain !Lorenz et al., 2006".

Finally, in all works on CV QKD, with no exception, ithas been assumed that Eve does not act on the localoscillator60—of course, she is allowed to have access to itin order to measure quadratures. Since the local oscilla-tor travels through Eve’s domain, this assumption opensa security loophole.61 Note that a similar situation bur-dened until recently the security of plug-and-play con-figurations, for which finally unconditional security wasproved !see Sec. II.H.2"; it is not clear, however, that thesame approach will work here since the strong pulses

60This amounts to viewing the local oscillator as an authenti-cated channel, building on the closeness to classical signals. Inan alternative setup, this problem can be circumvented by Bobmeasuring the phase of the local oscillator, followed by therecreation within Bob’s detector of a local oscillator with themeasured phase !Koashi, 2004".

61For the setups as they have been implemented, all observedcorrelations are compatible with an intercept-resend attack in-volving both the signal and the local oscillator. Security againstthis specific attack can be easily recovered by simple modifica-tions of the setups; for example, the independent measurementof the intensity of the phase reference pulse and the signalpulse !Häseler, Moroder, and Lütkenhaus, 2008".



have very different roles in the two schemes. In anycase, the open issue just discussed together with the factthat the existing exponential De Finetti theorem doesnot apply to infinitely dimensional systems are the mainreasons that unconditional security proofs are not avail-able yet for CV QKD.

As mentioned earlier !Sec. II.D.3", continuous-variable protocols also show interesting features in theclassical part. In contrast to typical discrete-variable pro-tocols, where losses simply reduce the number of de-tected signals, continuous-variable protocols will alwaysdetect a result so that loss corresponds now to increasednoise in the signal. Two main methods have been formu-lated to deal with this situation at the protocol level:reverse reconciliation !Grosshans and Grangier, 2002"and postselection !Silberhorn et al., 2002". The firstmethod can be realized using one-way EC schemes, butturns out to be sensitive to the efficiency of thoseschemes. Its main advantage is that its security can berigorously assessed versus general collective attacks !andhas been conjectured to hold even for coherent attacks".In contrast, the second method can use both one-wayand two-way EC schemes, and is fairly stable even ifthose schemes do not perform at the Shannon limit.However, its security can be analyzed only by makingassumptions about Eve’s interception !see below". Thestatus of its security is not clear even for general indi-vidual attacks. Note that, for close-to-perfect EC, re-verse reconciliation outperforms postselection. Whileprogress is being made in the efficiency of EC schemes,it turns out that a combination of postselection and re-verse reconciliation provides a practical solution to ob-tain reasonable rates with current technology, both fordiscrete-modulation !Heid and Lütkenhaus, 2006" andfor Gaussian-modulation protocols !Heid and Lütken-haus, 2007".

B. Bounds for Gaussian protocols

1. Generalities

As discussed, we provide an explicit security boundfor the coherent-state homodyne-detection protocol ofGrosshans and Grangier !2002a". Like all Gaussian pro-tocols, this prepare-and-measure protocol can be shownto be equivalent to an entanglement-based scheme!Grosshans, Cerf, et al., 2003". In such a scheme, Aliceprepares an Einstein-Podolsky-Rosen !EPR" state—more precisely, the two-mode squeezed vacuum state!15". By applying a heterodyne measurement on modeA, she prepares in the second mode of the EPR pair acoherent state, whose displacement vector is Gaussiandistributed in x and p. Then, Bob applies a homodynemeasurement on mode B, measuring quadrature x or p.It can be shown that reverse reconciliation is always fa-vorable for Alice and Bob, so we have to compute Eq.!21" with IEB on the right-hand side.

It has been proved that Eve’s optimal attack is Gauss-ian for both individual !Grosshans and Cerf, 2004;García-Patrón, 2007; Lodewyck, Debuisschert, et al.,

2007" and collective attacks !García-Patrón and Cerf,2006; Navascués, Grosshans, and Acín, 2006". We cantherefore assume that Eve effects a Gaussian channel sothat the quantum state (AB just before Alice and Bob’smeasurements can be assumed to be a Gaussian two-mode state with zero mean value and covariance matrixCAB.

The Gaussian channel is characterized by two param-eters: the transmittance, which here, since we work inthe uncalibrated-device scenario, is t= with = the effi-ciency of the detectors; and the noise B referred to theinput of the channel.62 Since the two-mode squeezedstate !15" is also symmetric and has no correlations be-tween x and p, the resulting covariance matrix of modesA and B can be written in a block-diagonal form,

CAB = 2CABx 0

0 CABp 3 !55"

with

CABx!p" = 2 v ±%t=!v2 # 1"

±%t=!v2 # 1" t=!v + B" 3 , !56"

where the signs ! and 0 correspond to CABx and CAB

p ,respectively. Here v is the variance of both quadraturesof Alice’s output thermal state expressed in shot-noiseunits, that is, v=vA+1, with vA the variance of Alice’sGaussian modulation.

For what follows, it is convenient to define vX#Y, theconditional variance that quantifies the remaining uncer-tainty on X after the measurement of Y,

vX#Y = /x2$ # /xy$2//y2$ , !57"

expressed in shot-noise units.

2. Modeling the noise

The noise B is the total noise of the Alice-Bob chan-nel. It can be modeled as the sum of three terms,

B = !1 # t"/t + Bh/t + 1 . !58"

The first term !1# t" / t stands for the loss-inducedvacuum noise !referred to the input"; this term is at theorigin of the higher sensitivity to losses of continuous-variable QKD. The second term stands for the noiseadded by the imperfection of the homodyne detection.This is modeled by assuming that the signal reachingBob’s station is attenuated by a factor = !detection effi-ciency" and mixed with some thermal noise vel !elec-tronic noise of the detector", giving63

62The observed noise in channels such as optical fibers is typi-cally symmetric and uncorrelated in both quadratures x and p!there is no preferred phase" so we restrict consideration tothis case here.

63Replacing the expression for Bh into Eq. !58", one obtainsB= !1# t=+vel" / t=++, which depends only on t=, as it should inthe uncalibrated-device scenario.



Bh = !1 + vel"/= # 1. !59"

The third term 1 is the excess noise !referred to the in-put" that is not due to line losses nor detector imperfec-tions. For a perfect detector, it can be viewed as thecontinuous-variable counterpart of the QBER indiscrete-variable QKD; it is zero for a lossy but noiselessline.

3. Alice-Bob information

In the EB version of the coherent-state protocol con-sidered here !Grosshans and Grangier, 2002a", Aliceperforms heterodyne detection so her uncertainty onBob’s quadratures is expressed as

vB#AM= t=!B + 1" . !60"

The mutual information between Alice and Bob istherefore given by

I!A:B" =12

log22 vB

vB#AM

3 =12

log22B + vB + 1

3 . !61"

As mentioned above, the main bottleneck ofcontinuous-variable QKD schemes comes from theheavy postprocessing that is needed in order to correctthe errors due to the vacuum noise that is induced by theline losses. In practice, the amount of information leftafter error correction will be a fraction < of I!A :B". Thisvalue has an important effect on the achievable secretkey rate and the limiting distance !as discussed below,for <=1 a secure key can in principle be extracted forarbitrarily large distances". This provides a strong incen-tive for developing better reconciliation algorithms. Thefirst technique that was proposed to performcontinuous-variable error correction relied on a so-called “sliced reconciliation” method !Van Assche, Car-dinal, and Cerf, 2004", and gave an efficiency <)80%.These algorithms have been improved using turbo codes!Nguyen, Van Assche, and Cerf, 2004" and low-densityparity codes !LDPCs" !Bloch et al. 2005", which bothallow working with noisy data, hence longer distances.More recently, multidimensional reconciliation algo-rithms have been introduced, which allow even noisierdata to be dealt with; while keeping similar or higherreconciliation efficiencies !Leverrier, Alleaume, et al.,2008".

4. Individual attacks

To become familiar with the security analysis, we firstpresent individual attacks. In order to address the secu-rity of the protocol, we assume as usual that Eve holdsthe purification of (AB. Then, by measuring their sys-tems, Alice and Eve project Bob’s share of the joint purestate #%ABE$ onto another pure state +we may assumewithout loss of generality that Eve’s projection resultsfrom a rank-1 positive-operator-valued measure!POVM",. Applying the Heisenberg uncertainty relationon the pure state held by Bob conditionally on Alice andEve’s measurements, we have

vXB#EvPB#A @ 1, vPB#EvXB#A @ 1, !62"

where XB and PB are the canonically conjugate quadra-tures of Bob’s mode. Equation !62" can be written as asingle uncertainty relation

vB#EvB#A @ 1, !63"

where B stands for any quadrature of Bob’s mode. Thisinequality can be used to put a lower bound on the un-certainty of Eve’s estimate of the key in reverse recon-ciliation, that is, when the key is made out of Bob’s datawhile Alice and Eve compete to estimate it.

Now, vB#A is not necessarily given by Eq. !60": Eve’sattack cannot depend on how the mixed state sent byAlice !i.e., the thermal state" has been prepared, since allpossible ensembles are indistinguishable. An acceptablepossibility is that Alice performs homodyne measure-ment, or, equivalently, prepares squeezed states just as inthe protocol of Cerf, Lévy, and Van Assche !2001"; inwhich case we obtain

vB#A = t=!B + 1/v" . !64"

It can be shown that this is the lowest possible value ofvB#A; hence from Eq. !63"

vB#E @ 1/t=!B + 1/v" . !65"

This gives a bound for I!B :E", so the extractable secretkey rate under the assumption of individual attacks be-comes

r = I!A:B" # I!E:B" =12

log22 vB#E

vB#AM

3@

12

log22 1!t="2!B + 1/v"!B + 1"3 !66"

as shown by Grosshans, Van Assche, et al. !2003". Notethat the scheme that implements the optimal attack!saturating this bound" is the entanglement cloner de-fined by Grosshans and Grangier !2002b". Using Eq.!58", in the case of high losses !t=!0" and large modu-lation !v!*", the secret key rate r remains nonzero pro-vided that the excess noise satisfies 1#1/2. This is aremarkable result due to reverse reconciliation: for di-rect reconciliation, obviously there can be no securitywhen Eve has as much light as Bob, i.e., for t=) 1

2 .A similar reasoning can be followed to derive the se-

curity of all Gaussian QKD protocols against individualattacks !García-Patrón, 2007". The only special case con-cerns the coherent-state heterodyne-detection protocol,whose security study against individual attacks is moreinvolved !Lodewyck and Grangier, 2007; Sudjana et al.,2007".

5. Collective attacks

The security of the coherent-state homodyne-detection scheme against the class of collective attackshas been fully studied. The corresponding rates werefirst provided assuming that Eve’s collective attack is



Gaussian !Grosshans, 2005; Navascués and Acín, 2005".Later on, it was proved that this choice is actually opti-mal !García-Patrón, and Cerf, 2006; Navascués, Gross-hans, and Acín, 2006". This implies that it remains suffi-cient to assess the security against Gaussian collectiveattacks, which are completely characterized by the cova-riance matrix CAB estimated by Alice and Bob. A longbut straightforward calculation shows that

?!B:E" = g!71" + g!72" # g!73" , !67"

where g!x"= !x+1"log2!x+1"#x log2 x is the entropy of athermal state with a mean photon number of x and 7k= !7k#1" /2, where

71,22 =

12

!A ± %A2 # 4B", 732 = v

1 + vBv + B

!68"

with A=v2!1#2t="+2t=+ +t=!v+B",2 and B= +t=!vB+1",2.

In conclusion, the secret key rate achievable againstcollective attacks is obtained by inserting Eqs. !61" and!67" into

K = R+<I!A:B" # ?!B:E", . !69"

Finally, we note that the optimality of Gaussian attacksis actually valid for protocols that use heterodyne detec-tion; a bound for security against Gaussian collective at-tacks in these protocols has been provided recently !Pi-randola, Braunstein, and Lloyd, 2008".

6. Collective attacks and postselection

In the case where all observed data are Gaussian, in-cluding the observed noise, we can provide a securityproof which also allows the inclusion of postselection ofdata in the procedure. The starting point of this securityproof is a protocol with Gaussian distribution of the am-plitude together with heterodyne detection by Bob. Inthis case, in a collective attack scenario, we can assume aproduct structure of the subsequent signals, and the den-sity matrix (AB of the joint state of Alice and Bob iscompletely determined due to the tomographic structureof the source replacement picture and the measurement.In this scenario, we can therefore determine the quan-tum states in the hand of the eavesdropper as Eve holdsthe system E of the purification #%$ABE of (AB.

We consider the situation where all observed data inthis scenario are Gaussian distributions, which is thetypical observation made in experiments. Note that thisis an assumption that can be verified in each run of theQKD protocol. In principle, one can use the standardformula for the key rate in the collective scenario +Eq.!69",. However, we introduce a postselection procedure!Silberhorn et al., 2002" to improve the stability of theprotocol against imperfections in the error-correctionprotocol.

To facilitate the introduction of postselection, we addfurther public announcements to the CV QKD protocol:Alice makes an announcement “a” consistent with theimaginary component 6y and the modulus of the real

component #6x# of the complex amplitude 6 of her sig-nals. That leaves two possible signals state open. Simi-larly, Bob makes an announcement “b” which containsagain the complex component <y and the modulus #<x#of the complex measurement result < of her heterodynemeasurement. That leaves, again, two possible measure-ments from Eve’s point of view. For any announcementcombination !a ,b" we have therefore an effective binarychannel between Alice and Bob. As the purification ofthe total state (AB is known, we can calculate for eacheffective binary channel a key rate

:I!a,b" = max&1 # f!ea,b"h+ea,b, # ?a,b,0' . !70"

This expression contains the postselection idea in theway that whenever 1#h+ea,b,#?a,b is negative, the dataare discarded, leading to a zero contribution of the cor-responding effective binary channel to the overall keyrate. The expressions for ?a,b have been calculated ana-lytically by Heid and Lütkenhaus !2007", which is pos-sible since the conditional states of Eve, as calculatedfrom the purification of (AB, are now at most of rank 4.Several scenarios have been considered there, but theone that is of highest interest is the combination of post-selection with reverse reconciliation. The explicit ex-pressions are omitted here, as they do not give addi-tional insight. The evaluation of the overall key rate

K = R. da db :I!a,b" !71"

is then done numerically.

VI. DISTRIBUTED-PHASE-REFERENCE PROTOCOLS

A. Status of security proofs

As discussed in Sec. II.D.4, distributed-phase-reference protocols were invented by experimentalists,looking for practical solutions. Only later was it noticedthat these protocols, in addition to be practical, mayeven yield better rates than the traditional discrete-variable protocols, i.e., rates comparable to those ofdecoy-state implementations. The reason is that the PNSattacks are no longer zero-error attacks for either DPS!Inoue and Honjo, 2005" for COW !Gisin et al., 2004;Stucki et al., 2005". In fact, the number of photons in agiven pulse and the phase coherence between pulses areincompatible physical quantities. Currently no lowerbound is known for the unconditional security of DPS orCOW, but several restricted attacks have been studied!Curty, Tamaki, and Moroder, 2005; Waks, Takesue, andYamamoto, 2006; Branciard et al., 2007; Curty et al.,2007; Tsurumaru, 2007; Branciard, Gisin, and Scarani,2008; Gomez-Sousa and Curty, 2008". In these studies, ithas also been noticed that DPS and especially COW canbe modified in a way that does not make them morecomplicated, but may make them more robust !Bran-ciard, Gisin, and Scarani, 2007". Since this point has notbeen fully developed, we restrict our attention to theoriginal version of these protocols.



B. Bounds for DPS and COW

1. Collective beam-splitting attack

We present the calculation of the simplest zero-errorcollective attack, namely, the beam-splitting attack!Branciard, Gisin, and Scarani, 2008". For both DPS andCOW, Alice prepares a sequence of coherent states!k#6!k"$: each 6!k" is chosen in &+6 ,#6' for DPS, in&+6 ,0' for COW. Eve simulates the losses with a beamsplitter, keeps a fraction of the signal, and sends the re-maining fraction ,= ttB= to Bob on a lossless line—notethat, although this security study does not provide alower bound, we work in the uncalibrated-device sce-nario for the sake of comparison with the other proto-cols. Bob receives the state !k#6!k"%,$: in particular,Bob’s optical mode is not modified, i.e., BSA introducesno error.64 Eve’s state is !k#6!k"%1#,$; we introduce thenotations 6E=6%1#, and

C = e##6E#2 = e#4!1#,". !72"

When Bob announces a detection involving pulses k#1and k, Eve tries to learn the value of his bit by looking ather systems. Assuming that each bit value is equallyprobable, Eve’s information is given by IEve=S!(E"# 1

2S!(E#0"# 12S!(E#1" with (E= 1

2(E#0+ 12(E#1.

The information available to Eve differs forthe two protocols because of the different coding ofthe bits. In DPS, the bit is 0 when 6!k#1"=6!k"and is 1 when 6!k#1"=#6!k". So, writing P&

the projector on #&$, the state of two consecutivepulses reads (E#0= 1

2P+6E,+6E+ 1

2P#6E,#6Eand (E#1

= 12P+6E,#6E

+ 12P#6E,+6E

; therefore, noticing that 5/+6E ##6E$5=C2, we obtain

IE,BSDPS !4" = 2h+!1 # C2"/2, # h+!1 # C4"/2, , !73"

where h is the binary entropy function, and

K!4" = >S!1 # e#4ttB="+1 # IE,BSDPS !4", . !74"

In COW, the bit is 0 when 6!k#1"=%4, 6!k"=0 and is 1when 6!k#1"=0, 6!k"=%4; so, with similar notations asabove, (E#0=P+6E,0 and (E#1=P0,+6E

; therefore, noticingthat 5/+6E #0$5=C, we obtain

IE,BSCOW!4" = h+!1 # C"/2, . !75"

The secret key rate is given by

K!4" = >S!1 # e#4ttB="+1 # IE,BSCOW!4", , !76"

where >S=>S!1# f" /2, because the fraction f of decoy se-quences does not contribute to the raw key, and half ofthe remaining pulses are empty.

2. More sophisticated attacks

For the purpose of comparison with other protocolslater in this review, it is useful to move away from thestrictly zero-error attacks. As mentioned above, severalexamples of more sophisticated attacks have indeedbeen found. Instead of looking for the exact optimumamong those attacks, we prefer to keep the discussionsimple, bearing in mind that all available bounds are tobe replaced one day by unconditional security proofs.

We consider attacks in which Eve interacts coherentlywith pairs of pulses !Branciard, Gisin, and Scarani,2008". Upper bounds have been provided in the limit4t91 of not-too-short distances. Even within this family,a simple formula is available only for COW. For COW,there is no a priori relation between the error on the key+ and the visibility V observed on the interferometer. Ife#4)8-2%V!1#V", one finds IE

COW!4"=1: 4 is too largeand no security is possible. If, on the contrary, e#4-8,the best attack in the family yields

IECOW!4" = + + !1 # +"h21 + FV!4"

23 !77"

with FV!4"= !2V#1"e#4#8%1#e#24. Therefore

K!4" = R+1 # IECOW!4" # leakEC!Q", , !78"

where the value of R is constrained by the definition ofthe attack to be >S!4ttB=+2pd".

As for DPS, numerical estimates show that its robust-ness under the same family of attacks is very similar!slightly better" than that of COW. Therefore, we useEq. !78" as an estimate of the performances ofdistributed-phase-reference protocols in the presence oferrors; again, for the sake of comparison with the otherprotocols, we have adopted the uncalibrated-device sce-nario here.65

VII. COMPARISON OF EXPERIMENTAL PLATFORMS

A. Generalities

After having presented the various forms that practi-cal QKD can take, we now try and draw some compari-son. If one disposed of unlimited financial means andmanpower, then obviously the best platform would bethe one that maximizes the secret key rate K for thedesired distance. A choice in the real world will obvi-ously put other parameters in the balance, like simplic-ity, stability, cost, etc. Some partial comparisons are

64Apart from BSA, other attacks exist that do not introduceerrors: for instance, photon-number-splitting attacks over thewhole key, preserving the coherence !these are hard to param-etrize and have never been studied in detail". For COW, therealso exist attacks based on unambiguous state discrimination!Branciard et al., 2007".

65For the family of attacks under study, the rate scales linearlywith the losses; therefore the difference between calibratedand uncalibrated devices is due only to the dark counts. Wehave to warn that the attacks based on unambiguous state dis-crimination, which have been studied explicitly for calibrateddevices !Branciard et al., 2007", are expected to become signifi-cantly more critical in the uncalibrated-device scenario. How-ever, this more complex family of attacks can be further re-stricted by a careful statistical analysis of the data: we cantherefore omit it out, which is in any case very partial.



available in the literature; but this is the first systematicattempt to compare the most meaningful platforms atpractical QKD. Of course, any attempt at putting allplatforms on equal footing contains elements of arbi-trariness. Also, we are bounded by the state of the art,concerning both the performance of the devices and thedevelopment of the security proofs, as discussed in theprevious sections. We have chosen to compare the bestavailable bounds, which, however, do not correspond tothe same degree of security: for the implementations ofthe BB84 coding, we have bounds for unconditional se-curity; for continuous-variable systems, we have securityagainst collective attacks; for the new protocols such asCOW and DPS, we have security only against specificfamilies of attacks. Also, one must be reminded that allsecurity proofs hold under some assumptions: thesehave been discussed in Secs. IV–VI; it is crucial to checkif they apply correctly to any given implementation.

As stressed many times, the security of a given QKDrealization must be assessed using measured values.Here we present some a priori estimates: they necessar-ily involve choices, which have some degree of arbitrari-ness. The first step is to provide a model for the channel:the one that we give !Sec. VII.A.1" corresponds well towhat is observed in all experiments and is thereforerather universally accepted as an a priori model. Westress that the actual realization of this specific channelis not a condition for security: Eve might realize a com-pletely different channel, and the general formulas forsecurity apply to any case.66 Once the model of thechannel accepted, one still has to choose the numericalvalues for all the parameters.

1. Model for the source and channel

We assume that the detection rates are those that areexpected in the absence of Eve, given the source and thedistance between Alice and Bob. As for the error rates,we consider a depolarizing channel with visibility V. Foran a priori choice, the modeling of the channel justsketched is rather universally accepted. In detail, it givesthe following.

!a" Discrete-variable protocols, P&M. We considerimplementations of the BB84 coding. The rate isestimated by R= >S!P+Pd", with P=(n@1pA!n"+1# !1# ttB="n, and Pd=2pd(n@0pA!n"!1# ttB="n. Theerror rate in the channel is += !1#V" /2, so the ex-pected error rate is Q= !+P+Pd /2" / !R / >S". Forweak coherent pulses without decoy states, pA!1"

=e#44, pA!n@2"=1#e#4!1+4", and we optimizeK, given by Eq. !31", over 4. For weak coherentpulses with decoy states, we consider an implemen-tation in which one value of 4 is used almost al-ways, while sufficiently many others are used, sothat all the parameters are exactly evaluated. Thestatistics of the source are as above; Y0 is estimatedby >S2pdpA!0" /R, Y1 by >SpA!1"ttB= /R, and we op-timize K given by Eq. !34" over 4. For perfectsingle-photon sources, pA!1"=1 and pA!n@2"=0;we compute Eq. !31", as there is nothing to opti-mize.

!b" Discrete-variable protocols, EB. Again, we con-sider implementations of the BB84 coding. Sincemost of the experiments have been performed us-ing cw-pumped sources, we restrict considerationto this case.67 For such sources, the probability ofhaving multiple pairs is ;=0 with good precision;therefore the bounds !42" and !43" for K are iden-tical. K will be optimized over 4!, the mean pair-generation rate of the source. Note that >S

cw givenby Eq. !20" depends on 4!; given this, one haspA!1")1 and pA!2")4!:t if 4!:t91: indeed, ne-glecting dark counts, whenever any of Alice’s de-tectors fires there is at least one photon going toBob; and the probability that another pair appearsduring the coincidence window :t is approximately4!:t. The total expected error is Q= +!+++!"P+Pd /2, / !R / >S", where += !1#V" /2 as above and+!)4!:t /2 is the error rate due to double-pairevents.

!c" Continuous-variable protocols. We consider theprotocol that uses coherent states with Gaussianmodulation, and compute the best available bound+Eq. !69",, which give security against collective at-tacks. The reference beam is supposed to be so in-tense that there is always a signal arriving at thehomodyne detector, so R= >S. The error is modeledby Eq. !58". Now, just as for discrete-variable pro-tocols one can optimize K over the mean numberof photons !or of pairs" 4 for each distance, hereone can optimize K over the variance v of themodulation. Note that this optimization outputsrather demanding values so that only recently hasit become possible to implement them in practice,thanks to the latest developments in error-correction codes !Leverrier, Alleaume, et al., 2008".

66The attacks we studied against DPS and COW !Sec. VI", dosuppose a model of the channel. This is a signature of theincompleteness of such studies. Security can be guaranteed byadding that, if the channel deviates from the expected one, theprotocol is aborted. A full assessment of the channel requiresadditional tests: the fact that data can be reproduced by achannel model does not imply that the channel model is cor-rect !for instance, in weak-coherent-pulse implementations ofBB84 without decoy states, the observed parameters are com-patible with both a BS and a PNS attack".

67Pulsed sources can be treated in a similar way. For short-pulse schemes, one would have pA!1")4 and pA!2")342 /4 if491; for long-pulse pumping, the statistics of pairs is approxi-mately Poissonian, pA!1")4 and pA!2")42 /2 if 491, andmost of the multipair events are uncorrelated. In both cases,the intrinsic error rate due to double-pair events is +!)4 /2!Eisenberg et al., 2004; Scarani et al., 2005". Note that the pa-rameter ; may be different from 0 in the case of short-pulseschemes.



!d" Distributed-phase-reference protocols. As men-tioned, apart from the errorless case, a simple for-mula exists only for COW, which moreover is validonly at not-too-short distances. We use this boundto represent distributed-phase-reference protocolsin this comparison, keeping in mind that DPS per-forms slightly better, but that in any case only up-per bounds are available. Specifically, we have R) >S!4ttB=+2pd"; we optimize then K!4" given byEq. !78" over 4, and keep the value only if 4optt)0.1. The expected error rate is formally the sameas for the P&M BB84 protocol; recall, however,that here the bit error + is not related to the visibil-ity of the channel and must be chosenindependently.

2. Choice of the parameters

We use two sets of parameters !Table II": set 1 corre-sponds to today’s state of the art, while set 2 reflects amore optimistic but not unrealistic development. More-over, we make the following choices:

• Unless specified otherwise !see Sec. VII.B.2", theplots use the formulas for the uncalibrated-devicescenario. The reason for this choice is the same asdiscussed in Sec. III.B.5: unconditional security hasbeen proved only in this overly-pessimistic scenario.

• Since we are using formulas that are valid only in theasymptotic regime of infinitely long keys, we removethe nuisance of sifting by allowing an asymmetricchoice of bases or of quadratures. Specifically, thisleads to >S=>S for both BB84 and continuous-variable protocols. Similarly, for COW we can set f=0, whence >S=>S /2.

• For definiteness, we consider fiber-based implemen-tations; in particular, the relation between distanceand transmission will be Eq. !17" with 6=0.2 dB/km; and the parameters for photoncounters are given at telecom wavelengths !Table II".The reader must keep in mind that, in free-spaceimplementations, where one can work with other fre-quencies, the rates and the achievable distance maybe larger.

B. Comparisons based on K

1. All platforms on a plot

As a first case study, we compare all platforms on thesame basis by plotting K />S as a function of the trans-mittivity t of the channel. The result is shown in Fig. 4.We stress the elements of arbitrariness in this compari-

0 5 10 15 20 25 30 35 40

10!6

10!4

10!2

100

t [dB]

K/!

S

decoyCOWWCP

EB

1!ph

CV

0 5 10 15 20 25 30 35 40

10!6

10!4

10!2

100

t [dB]

K/!

SWCP

COW

decoy

CVEB

1!ph

(a)

(b)

FIG. 4. !Color online" K />S as a function of the transmittivityt, for all the platforms. Legend: 1-ph, perfect single-photonsource, unconditional; WCP, weak coherent pulses without de-coy states, unconditional; decoy, weak coherent pulses with de-coy states, unconditional; EB, entanglement-based, uncondi-tional; CV, continuous variables with Gaussian modulation,security against collective attacks; COW, coherent one way,security against the restricted family of attacks described inSec. VI.B.2. Parameters from Table II: set 1, upper graph; set2, lower graph.

TABLE II. Parameters used for the a priori plots. See text fornotations and comments. The entry !opt." means that the pa-rameter will be varied as a function of the distance in order tooptimize K.

Platform Parameter Set 1 Set 2

BB84,COW

4 !mean intensity" !Opt." !Opt."V !visibility": P&M 0.99 0.99V !visibility": EB 0.96 0.99

tB !transmission in Bob’s device" 1 1= !detector efficiency" 0.1 0.2

pd !dark counts" 10#5 10#6

+ !COW" !bit error" 0.03 0.01; !EB" !coherent four photons" 0 0

Leak !EC code" 1.2 1CV v=vA+1 !variance" !Opt." !Opt."

+ !optical noise" 0.005 0.001= !detector efficiency" 0.6 0.85vel !electronic noise" 0.01 0

< !EC code" 0.9 0.9



son !in addition to the choices discussed above". First,we recall that the curves do not correspond to the samedegree of security !see Sec. VII.A". Second, we haveconsidered “steady-state” key rates, because we haveneglected the time needed for the classical postprocess-ing; this supposes that the setup is stable enough to runin that regime !and it is fair to say that many of theexisting platforms have not reached this stage of stabilityyet". Third, the real performance is of course K: in par-ticular, if some implementations have bottlenecks at thelevel of >S !see Sec. III.A", the order of the curves maychange significantly.

2. Upper bound incorporating the calibration of the devices

As a second case study, we show the difference be-tween the lower bounds derived in the uncalibrated-device scenario and some upper bounds that incorporatethe calibration of the devices.

We focus first on BB84 implemented with weak coher-ent pulses; the upper bounds under study have been de-rived in Sec. IV.C. The plots in Fig. 5 show how muchone can hope to improve the unconditional securitybounds from their present status. As expected, the plotconfirms that basically no improvement is expected forimplementations with decoy states, because there onlythe treatment of dark counts is different; while thebound for implementations without decoy states maystill be the object of significant improvement.

We turn now to CV QKD with Gaussian modulation.Bounds for the security against collective attacks assum-ing calibrated devices are given in Eqs. !5"–!12" ofLodewyck, Bloch, et al. !2007". The plots are shown inFig. 6. One sees that the difference between the twoscenarios is significant for set 1 of parameters, but isnegligible for the more optimistic set 2. This is interest-ing, given that the efficiency = of the detectors is “only”85% in set 2.

C. Comparison based on the “cost of a linear network”

We consider a linear chain of QKD devices, aimedat achieving a secret key rate Ktarget over a distance L.Many devices can be put in parallel, and trusted re-peater stations are built at the connecting points.Each individual QKD device is characterized by thepoint-to-point rate K!!" it can achieve as a functionof the distance !, and by its cost C1. We need N= !L /!"Ktarget /K!!" devices to achieve the goal, so thecost of the network is68

Ctot+!, = C1L!

Ktarget

K!!". !79"

The best platform is the one that minimizes this cost,i.e., the one that maximizes F!!"=!K!!". This quantity,normalized to >S, is plotted in Fig. 7 as a function of thedistance for both sets of parameters defined in Table II.Of course, this comparison presents the same elementsof arbitrariness as the previous one.

The optimal distances are quite short, and this can beunderstood from a simple analytical argument. Indeed,typical behaviors are K!!"A t !single-photon sources, at-tenuated lasers with decoy states, and strong referencepulses" and K!!"A t2 !weak coherent pulses without de-coy states". Using t=10#6!/10, it is easy to find !opt thatmaximizes F!!",

K!!" A tk ! !opt = 10/k6 ln 10. !80"

In particular, for 6)0.2 dB/km, one has !opt)20 km fork=1 and !opt)10 km for k=2.

In conclusion, our toy model suggests that, in a net-work environment, one might not be interested in push-ing the maximal separation of the devices; in particular,

68In this first toy model, we neglect the cost of the trustedrepeater stations; see Alléaume et al. !2008" for a more elabo-rated model.

0 5 10 15 20 25 30

10!6

10!4

10!2

t [dB]

K/!

S

WCP decoy

FIG. 5. !Color online" K />S as a function of the transmission tfor the P&M implementations of BB84 with weak coherentpulses: comparison between the lower bound !solid lines, sameas in Fig. 4, upper graph" and the upper bound for calibrateddevices !dashed lines". Legend as in Fig. 4. Parameters fromTable II, set 1.

0 5 10 15 20 25 30 35 40

10!4

10!2

100

t [dB]

K/!

S

set #1

set #2

FIG. 6. !Color online" K />S as a function of the transmis-sion t for CV QKD with Gaussian modulation and securityagainst collective attacks: comparison between the lowerbound !solid lines, same as in Fig. 4" and the upper bound forcalibrated devices !dashed lines" for both sets of parametersfrom Table II. Compared to Fig. 4, the color of the lines of set1 was changed for clarity.



detector saturation !which we neglected in the plotsabove" may become the dominant problem instead ofdark counts.

VIII. PERSPECTIVES

A. Perspectives within QKD

1. Finite-key analysis

As we have stressed, all the security bounds presentedin this review are valid only in the asymptotic limit ofinfinitely long keys. Proofs of security for finite-lengthkeys are a crucial tool for practical QKD. The estimateof finite-key effects, unfortunately, has received verylimited attention so far. The pioneering works !Mayers,1996; Inamori, Lütkenhaus and Mayers, 2007"; as well assome subsequent ones !Watanabe et al., 2004; Hayashi,2006", have used noncomposable definitions of security!see Sec. II.C.2". This is a problem because the securityof a finite key is never perfect, so one needs to knowhow it composes with other tasks. Others studied a newformalism but failed to prove unconditional security!Meyer et al., 2006". The most recent works comply withthe requirements !Hayashi, 2007a; Scarani and Renner,2008"; finite statistics have been incorporated in the

analysis of an experiment !Hasegawa et al., 2007". With-out going into details, all these works estimate that nokey can be extracted if fewer than N)105 signals areexchanged.

2. Open issues in unconditional security

As stated above that, for CV QKD and distributed-phase-reference protocols, no unconditional securityproof is available yet. However, there is an importantdifference between these cases. In the existing CV QKDprotocols, the information is coded in independent sig-nals; because of this, it is believed that unconditionalsecurity proofs can be built as generalizations of the ex-isting ones !see also the “Note added” below". On thecontrary, the impossibility of identifying signals with qu-bits in distributed-phase reference protocols will requirea completely different approach, which nobody has beencurrently able to devise.

As explained in Sec. III.B.5, all unconditional securityproofs have been derived under the overconservativeassumption of uncalibrated devices. Ideally, such anassumption should be removed: one should work outunconditional security proofs taking into account theknowledge about the detectors; this would lead to betterrates. A possible solution is to include the calibration ofthe devices in the protocol itself; the price to pay seemsto be a complication of the setup !Qi, Zhao, et al., 2007".The idea is somewhat similar to the one used in decoystates. We also discussed how calibrated-device proofsmay ultimately provide significant improvement only forsome protocols !see Sec. VII.B.2". The difference be-tween protocols can be understood from the fact thattypically K1 t6, where t is the transmittance and [email protected] 6=1, the only advantage of calibrating the devicescan come from the dark count contribution. If, on thecontrary, 6-1 !weak coherent pulses without decoystates: 6=2 for BB84, 6= 3 / 2 for SARG04", then thedifference is much larger because it matters whether ornot tB= is included in the losses. The urgency of thisrather ungrateful69 task is therefore relative to thechoice of a protocol.

69Here is an example of the complications that might appear.When taking the calibration into account, it is often assumedthat the dark counts do not enter in Eve’s information. Actu-ally, things are more subtle. On the one hand, most of the darkcounts will actually decrease Eve’s information, because shedoes not know if a detection is due to the physical signal!about which she has gained some information" or is a com-pletely random event. On the other hand, if a detection hap-pens shortly after a previous one, Eve may guess that the sec-ond event is in fact a dark count triggered by an afterpulse,and therefore learn about some correlations between the tworesults. Admittedly, these are fine-tuning corrections, and havenever been fully discussed in the literature; but if one wants toprove unconditional security, these marginal issues must bealso properly addressed.

0 50 100 150 20010

!4

10!3

10!2

10!1

100

distance [km]

F/!

S

EB

COW

WCP

CV

1!ph

decoy

0 50 100 150 20010

!4

10!3

10!2

10!1

100

101

distance [km]

F/!

S

EB

decoy

COWWCP

CV

1!ph

(a)

(b)

FIG. 7. !Color online" F />S as a function of the distance ! forall platforms. Legend as in Fig. 4. Parameters from Table II: set1, upper graph; set 2, lower graph.



3. Black-box security proofs

The development of commercial QKD systems makesit natural to ask whether the “quantumness” of such de-vices can be proved in a black-box approach. Of course,the compulsory requirements !Sec. II.C.1" must hold.For instance, the random number generator cannot bewithin the black box because it must be trusted; onemust also make sure that no output port is diffusing thekeys on the internet; and so on. Remarkably though, allthe quantum part can in principle be kept in a black box.The idea is basically the one that triggered Ekert’s dis-covery !Ekert, 1991", although Ekert himself did notpush it so far: the fact that Alice and Bob observe cor-relations that violate a Bell inequality is enough to guar-antee entanglement, independent of the nature of thequantum signals and even of the measurements that areperformed on them. This has been called “device-independent security”; a quantitative bound was com-puted for collective attacks on a modification of Ekert’sprotocol, but the goal of proving unconditional securityis still unattained !Acín et al., 2007". Device-independentsecurity can be proved only for entanglement-basedschemes: for this definition of security, the equivalenceof EB and P&M presented in Sec. II.B.2 does not hold.As long as the detection loophole is open, these securityproofs cannot be applied to any system; but if someknowledge of the devices is reintroduced, they mightprovide a good tool for disposing of all quantum sidechannels !Sec. III.B.4".

4. Toward longer distances: Satellites and repeaters

The attempt to achieve efficient QKD over long dis-tances is triggering ambitious experimental develop-ments. Basically, two solutions are being envisaged. Thefirst is to use the techniques of free space quantum com-munication to realize ground-to-satellite links !Buttler etal., 1998; Rarity et al., 2002; Aspelmeyer et al., 2003".The main challenges are technical: to adapt the existingoptical tracking techniques to the needs of quantumcommunication, and to build devices that can operate ina satellite without need of maintenance.

The second solution is to use quantum repeaters!Briegel et al., 1998; Dür et al., 1999". The basic ideais the following: the link A-B is cut in segmentsA-C1 ,C1-C2 , . . . ,Cn-B. On each segment independently,the two partners exchange pairs of entangled photons,which may of course be lost; but whenever both partnersreceive the photon, they store it in a quantum memory.As soon as there is an entangled pair on each link, theintermediate stations perform a Bell measurement, thusultimately swapping all the entanglement into A-B. Ac-tually, variations of this basic scheme may be more prac-tical !Duan et al., 2001". Whatever the exact implemen-tation, the advantage is clear: one does not have toensure that all the links are active simultaneously; butthe advantage can only be achieved if quantum memo-ries are available. The experimental research in quan-tum memories has increased over recent years, but ap-plications in practical QKD are still far away because

the requirements are challenging !see Appendix B".Teleportation-based links have also been studied in

the absence of quantum memories !quantum relays".They are rather inefficient, but allow reduction of thenuisance of the dark counts and therefore increase thelimiting distance !Jacobs, Pittman, and Franson, 2002;Collins, Gisin, and de Riedmatten, 2005"; however, itseems simpler and more cost effective to solve the sameproblem using cryogenic detectors !see Sec. II.G".

5. QKD in networks

QKD is a point-to-point link between two users. Butonly a tiny fraction of all communication occurs in dedi-cated point-to-point links; most communication takesplace in networks, where many users are interconnected.Note that one-to-many connectivity between QKD de-vices can be obtained with optical switching !Townsendet al., 1994; Elliott, 2002; Elliott et al., 2005".

In all models of QKD networks, the nodes are oper-ated by authorized partners, while Eve can eavesdrop onall links. If the network is built with quantum repeatersor quantum relays, no secret information is available tothe nodes: indeed, the role of these nodes is to performentanglement swapping so that Alice and Bob end upwith a maximally entangled—and therefore fullyprivate—state. Since production of quantum repeaters isstill a challenge, trusted-relays QKD networks havebeen considered. In this case, the nodes learn secret in-formation during the protocol. In the simplest model, aQKD key is created between two consecutive nodes anda message is encrypted and decrypted hop by hop. Thismodel has been adopted by BBN Technologies and bythe SECOQC QKD networks !Elliott, 2002; Elliott etal., 2005; Dianati and Alléaume, 2006; Alléaume et al.,2007; Dianati et al., 2008". Alternatively, the trusted re-lays can perform an intercept-resend chain at the levelof the quantum signal !Bechmann-Pasquinucci and Pas-quinucci, 2005".

B. QKD versus other solutions

Information-theoretically !unconditionally" secure keydistribution !key agreement" is a cryptographic task that,as is well known, cannot be solved by public communi-cation alone, i.e. without employing additional resourcesor relying on additional assumptions. In addition toQKD !the additional resource in this case being thequantum channel", a number of alternative schemes tothis end have been put forward !Wyner, 1975; Csiszárand Körner, 1978; Ahlswede and Csiszár, 1993; Maurer,1993", among which one can also count the traditionaltrusted-courier approach !Alléaume et al., 2007". Whilethe latter is still used in certain high-security environ-ments, QKD is the sole automatic, practically feasible,and efficient information-theoretically secure key agree-ment technology, where in the point-to-point settinglimitations of distance and related key rate apply. Theselimitations can be lifted using QKD networks !see Sec.VIII.A.1".



With this in mind, we address below typical securecommunication solutions in order to relate then subse-quently to the assets offered by QKD. Secure communi-cation in general requires encrypted !and authentic"transition of communication data. In current standardcryptographic practice, neither the encryption schemesnor the key agreement protocols used !wheneverneeded" are unconditionally secure. While there is reallya very broad range of possible alternatives and combi-nations, the most typical pattern for confidential com-munication is the following: public key exchange proto-cols are used to ensure agreement of two identical keys;the encryption itself is done using symmetric-key algo-rithms. In particular, most often some realization of theDiffie-Hellman algorithm !Diffie and Hellman, 1976" isused in the key agreement phase. The symmetric-encryption algorithms most widely used today belong tothe block-cipher class and are typically Triple Data En-cryption Standard !3DES" !Coppersmith et al., 1996" orAdvanced Encryption Standard !AES" !Daemen andRijmen, 2001".

The security of the Diffie-Hellman algorithm is basedon the assumption that the so-called Diffie-Hellmanproblem is hard to solve, the complexity of this problembeing ultimately related to the hardness of the discrete-logarithm problem +see Maurer and Wolf !1999, 2000"for a detailed discussion,. It is widely believed, althoughit was never proven, that the discrete-logarithm problemis classically hard to solve. This is not true in the quan-tum case since a quantum computer, if available, canexecute a corresponding efficient algorithm by PeterShor !Shor, 1994, 1997", which is based on the same fun-damental approach as is the Shor factoring algorithm,already mentioned in Sec. I.A.

It should be further noted that, similarly to QKD, theDiffie-Hellman protocol can trivially be broken if theauthenticity of the communication channel is not en-sured. There are many means to guarantee communica-tion authenticity with different degrees of security but inany case additional resources are needed. In currentcommon practice, public-key infrastructures are em-ployed, which in turn rely on public-key cryptographicprimitives !digital signatures", i.e., on similar assump-tions as for the Diffie-Hellman protocol itself, and ontrust in external certifying entities.

Turning now to encryption, it should be highlightedthat the security of a block-cipher algorithm is basedon the assumption that it has no structural weaknesses,i.e., that only a brute force attack amounting to a thor-ough search of the key space !utilizing pairs of ciphertexts and corresponding known or even chosen plaintexts" can actually reveal the secret key. The cost ofsuch an attack on a classical computer is O!N" opera-tions, where N is the dimension of the key space. Thespeedup of a quantum computer in this case is moder-ate, the total number of operations to be performedbeing O!%N" !Grover, 1996, 1997". The assumption ofthe lack of structural weaknesses itself is not related toany particular class of mathematical problems and in theend relies merely on the fact that such a weakness is not

!yet" known. Cryptographic practice suggests that fora block-cipher algorithm such weaknesses are in factdiscovered at the latest a few decades after itsintroduction.70

Before turning to a direct comparison of the describedclass of secure communication schemes with QKD-based solutions, it should be explained why public-key-based generation combined with symmetric-key encryp-tion is actually the most proliferated solution. Thereason is that currently AES or 3DES encryption, incontrast to direct public-key !asymmetric" encryption,can ensure a high encryption speed and appears optimalin this respect. Typically high speed is achieved by de-signing dedicated hardware devices, which can performencryption at very high rate and ensure a securethroughput of up to 10 Gb per second. Such devices areoffered by an increasing number of producers !see, e.g.,ATMedia GmbH, www.atmedia.de" and it is beyond thescope of the current article to address them in any detail.We, however, underline an important side aspect. Ingeneral, security of encryption in the described scenariois increased by changing the key “often,” the rate ofchange being proportional to the dimension of the keyspace. In practice, however, even in the high-speed casethe key is changed at a rate lower than once per minute!often once per day or even more seldom". The reasonfor this is twofold: on the one hand, public-key-agreement algorithms are generally slow and, on theother hand, the current design of dedicated encryptiondevices is not compatible with a rapid key change.

The question now is how QKD compares with thestandard practice as outlined above. It is often arguedthat QKD is too slow for practical uses and that thelimited distance due to the losses is a limitation to thesystem as such. In order to allow for a correct compari-son one has to define the relevant secure communicationscenarios. There are two basic possibilities: !i" QKD isused in conjunction with one-time pad or !ii" QKD isused together with some high-speed encryptor !we notein passing that the second scenario appears to be themain target for the few QKD producers".

The rate as a function of distance has been discussedin detail in the preceding sections. Here we consider an“average” modern QKD device operating in the rangeof 1–10 kilobytes per second !kbps" over 25 km; themaximal distance of operation at above 100 bps beingaround 100 km.

Case !i" obviously offers information-theoretic secu-rity of communication if the classical channel, in boththe key generation and the encryption phases, is addi-tionally authenticated with the same degree of security.As the overhead for this is negligible, the QKD genera-tion rates as presented above are also the rates for se-cure communication. Obviously this is not sufficient forbroadband data transmission but quite adequate forcommunicating very highly sensitive data. Another ad-

70See Rijmen !2007".



vantage of this combination is the fact that keys can bestored for later use.

The security of the case !ii" is equivalent to the secu-rity of the high-speed encryption, which we addressedabove, while all threats related to the key generationphase are eliminated. At 25 km the QKD speed wouldallow key refreshment !e.g., in the case of AES with256 bit key length" several times per second. This is re-markable for two reasons: first, this is at or rather be-yond the key-exchange capacity of current high-speedencryptors; second, it compares also to the performanceof high-level classical link encryptors, which refreshAES keys a few times per second using Diffie-Hellmanelliptic curve cryptography for key generation. So in thesecond scenario QKD outperforms the standard solu-tion at 25 km distance in terms of both speed and secu-rity.

Regarding the distance, an interesting point is thatclassical high-end encryptors use direct dark fibers, notfor reasons related to security but to achieve maximalspeed, which also gives them a limitation in distance.However, classical key generation performed in softwareis naturally not bounded by the distance. In this sensestandard public-key-based key agreement appears supe-rior. This is, however, a QKD limitation typical for thepoint-to-point regime. As mentioned above, it is lifted inQKD networks.

Note added in proof . One of the pending issues to-ward unconditional security proofs of CV QKD, namely,the fact that the security bound for collective and gen-eral attacks should coincide asymptotically, has beensolved !Renner and Cirac, 2009". The solution makesuse of a exponential De Finetti–type theorem. Anotherapproach, which would reach the same conclusion basedonly on the symmetries of the protocol, is being pursued!Leverrier, Karpov, Grangier, and Cerf, 2008".

ACKNOWLEDGMENTS

This paper has been written within the EuropeanProject SECOQC. The following members of the QITsubproject have significantly contributed to the reportthat formed the starting point of the present review: Ste-fano Bettelli, Kamil Brádler, Cyril Branciard, NicolasGisin, Matthias Heid, and Louis Salvail. During thepreparation of this review, we had further fruitful ex-changes with the above-mentioned colleagues, as well aswith Romain Alléaume, Lucie Bartu!ková, Alexios Bev-eratos, Hugues De Riedmatten, Eleni Diamanti, ArturEkert, Philippe Grangier, Frédéric Grosshans, Micha$Horodecki, Hannes Huebel, Masato Koashi, ChristianKurtsiefer, Antia Lamas-Linares, Anthony Leverrier,Hoi-Kwong Lo, Chiara Macchiavello, Michele Mosca,Miguel Navascués, Andrea Pasquinucci, Renato Renner,Andrew Shields, Christoph Simon, Kiyoshi Tamaki, Ya-suhiro Tokura, Akihisa Tomita, Zhiliang Yuan, andHugo Zbinden.

APPENDIX A: UNCONDITIONAL SECURITY BOUNDSFOR BB84 AND SIX-STATE SINGLE-QUBITSIGNALS

In this appendix, we present a derivation of the un-conditional security bounds for the BB84 !Shor andPreskill, 2000" and six-state protocols !Lo, 2001" for thecase where each quantum signal is a single qubit, ormore generally when the quantum channel is a qubitchannel followed by a qubit detection.71

As usual, the proof is done in the EB scheme, theapplication to the P&M case following immediately asdiscussed in Sec. II.B.2. Alice produces the state #'+$= !1/%2"!#00$+ #11$"; she keeps the first qubit and sendsthe other one to Bob. This state is such that //z !/z$= //x !/x$=+1 !perfectly correlated outcomes" and //y!/y$=#1 !perfectly anticorrelated outcomes"; to haveperfect correlation in all three bases, Bob flips his resultwhen he measures /y. We suppose an asymmetric imple-mentation of the protocols: the key is extracted onlyfrom the measurements in the Z basis, which is usedalmost always; the other measurements are used to esti-mate Eve’s knowledge of the Z basis, and will be usedon a negligible sample !recall that we work in theasymptotic regime of infinitely long keys".

Now we follow the techniques of Kraus, Gisin, andRenner !2005" and Renner, Gisin, and Kraus !2005".Without loss of generality, the symmetries of the BB84and six-state protocols72 imply that one can compute thebound by restricting consideration to collective attacks,and, even further, to those collective attacks such thatthe final state of Alice and Bob is Bell diagonal,

(AB = 71#'+$/'+# + 72#'#$/'##

+ 73#%+$/%+# + 74#%#$/%## , !A1"

with (i7i=1. Since #'±$ give perfect correlations in the Zbasis, while #%±$ give perfect anticorrelations, theQBER +z is given by

+z = 73 + 74. !A2"

The error rates in the other bases are

+x = 72 + 74, +y = 72 + 73. !A3"

Eve’s information is given by the Holevo bound !24" IE

=S!(E"# 12S!(E#0"# 1

2S!(E#1" since both values of the bitare equiprobable in this attack. Since Eve has a purifi-cation of (AB, S!(E"=S!(AB"=H!&71 ,72 ,73 ,74'"-H!7" "where H is Shannon entropy. The computation of (E#b ismade in two steps. First, one writes down explicitly the

71For real optical channels, we therefore assume the taggingmethod for real sources and the squashing model for the de-tection; see Sec. IV.A.2.

72Actually, a lower bound can be computed in the same wayfor a very general class of protocols; but it may not be tight, asexplicitly found in the case of SARG04 !Branciard et al., 2005;Kraus, Branciard, and Renner, 2007".



purification73 #%$ABE=(i%7i#'i$AB#ei$E, where we used achange of notation for the Bell states, and where /ei #ej$=Bij. Then, one traces out Bob and projects Alice on#+z$ for b=0 and on ##z$ for b=1. All calculations done,the result is S!(E#0"=S!(E#1"=h!+z". So we have obtained

IE!7" " = H!7" " # h!+z" . !A4"

Now we have to particularize to the two protocols understudy.

We start with the six-state protocol. In this case, both+x and +y are measured, so all four 7’s are directly deter-mined. After some algebra, one finds

IE!+" " = +zh21 + !+x # +y"/+z

23

+ !1 # +z"h21 # !+x + +y + +z"/21 # +z

3 . !A5"

Under the usual assumption of a depolarizing channel,+x=+y=+z=Q, this becomes

IE!Q" = Q + !1 # Q"h21 # 3Q/21 # Q

3 . !A6"

The corresponding secret fraction !one-way postprocess-ing, no preprocessing, and perfect error correction" isr=1#h!Q"#IE!Q", which goes to 0 for Q)12.61%.

The calculation is slightly more complicated for theBB84 protocol because there only +x is measured; there-fore, there is still a free parameter, which must be cho-sen so as to maximize Eve’s information. The simplestway of performing this calculation consists in writing71= !1#+z"!1#u", 72= !1#+z"u, 73=+z!1#v", and 74=+zv,where u ,v! +0,1, are subject to the additional con-straint

!1 # +z"u + +zv = +x. !A7"

Under this parametrization, H!7" "=h!+z"+ !1#+z"h!u"++zh!v" and consequently

IE!7" " = !1 # +z"h!u" + +zh!v" , !A8"

to be maximized under the constraint !A7". This can bedone by inserting v=v!u" and taking the derivative withrespect to u. The result is that the optimal choice is u=v=+x so that

IE!+" " = h!+x" . !A9"

The usual case is +x=+z=Q, which, however, here doesnot correspond to the depolarizing channel: the relationsabove imply +y=2Q!1#Q", which corresponds to the ap-plication of the so-called “phase-covariant cloning ma-chine” !Griffiths and Niu, 1997; Bruß et al., 2000". Thecorresponding secret fraction !again for one-way post-processing, no preprocessing, and perfect error correc-

tion" is r=1#h!Q"#IE!Q", which goes to 0 for Q)11%.

APPENDIX B: ELEMENTARY ESTIMATES FORQUANTUM REPEATERS

1. Quantum memories

A quantum memory is a device that can store an in-coming quantum state !typically, of light" and reemit iton demand without loss of coherence. A full review ofthe research in quantum memories is clearly beyond ourscope. Experiments are being pursued using severaltechniques, such as atomic ensembles !Julsgaard et al.,2004; Chou et al., 2007", NV centers !Childress et al.,2006", and doped crystals !Alexander et al., 2006; Staudtet al., 2007".

Two characteristics of quantum memories are espe-cially relevant for quantum repeaters. A memory iscalled multimode if it can store several light modes andone can select which mode to reemit; multimode memo-ries are being realized !Simon et al., 2007". A memory iscalled heralded if its status !loaded or not loaded" can belearned without perturbation; there is no current pro-posal on how to realize such a memory, and repeaterschemes have been found that work without heraldedmemories !Duan et al., 2001".

2. Model of quantum repeater

Here we present a comparison of the direct link withthe two-link repeater and discuss the advantages andproblems that arise in more complex repeaters. We con-sider the architecture sketched in Fig. 8, correspondingto the original idea !Briegel et al., 1998".

a. Definition of the model

Our elementary model is described as follows:

• Source: Perfect two-photon source with repetitionrate >S.

73All purifications are equivalent under a local unitary opera-tion on Eve’s system, so Eve’s information does not changewith the choice of the purification.

A B

A BC

M M

A B

M M

C1 C2D

A B

A BC

M M

A B

M M

C1 C2D

FIG. 8. Three configurations for quantum repeaters: directlink, two-link repeater, and four-link repeater.



• Quantum channel: The total distance between Aliceand Bob is !. The channel is noiseless; its losses arecharacterized by 6, and we denote by t=10#6!/10 thetotal transmittivity.

• Detectors of Alice and Bob: Efficiency =; darkcounts, dead time, and other nuisances are neglected.

• Quantum memories: Multimode memories that canstore N modes. We write as pM the probability that aphoton is absorbed and then reemitted on demand!contains all the losses due to coupling with otherelements". The memory has a typical time TM, whichwe consider as a lifetime.74

• Bell measurement: Linear optics, i.e., the probabilityof success is 1

2 . The fidelity is F and the noise is de-polarized +i.e., a detection comes from the desiredBell state with probability F; from any of the otherswith equal probability !1#F" /3,. The detectors haveefficiency =M and no dark counts.

b. Detection rates

For the direct link, the key rate is the detection rate inour simplified model,

K1 = R1 = >St=2. !B1"

In the two-link repeater, the central station !Chris-toph" holds the two sources and the memories. Considerone of the links, say with Alice. The source producesgroups of N pairs, each pair in a different mode; onephoton per pair is kept in the memory, the other is sentto Alice. Alice announces whether she has detected atleast one photon: if she has, Christoph notes which one;if she has not, Christoph releases the memory and startsthe protocol again. The same is happening on the otherlink, the one with Bob, independently. As soon as bothpartners have announced a detection, Christoph releasesthe corresponding photons, performs the Bell measure-ment and communicates the result to Alice and Bob,who postselect their results accordingly.75 Note that thememories need not be heralded in this scheme.

Here is the quantitative analysis of the two-link re-peater. Any elementary run takes the time for the pho-ton to go from the source to the detector, then for thecommunication to reach back Christoph, i.e., ! /c. Ineach run, the probability of a detection is 1# !1#%t="N

)N%t=. Then, on average, the Bell measurement will be

performed after a time76 ,) 32! /c /N%t=. Consequently,

R2 = 6,#112

pM2 =M

2 if , # TM

0 otherwise,7 !B2"

where we have supposed that the memory time TM de-fines a sharp cut, which is another simplification. This isthe expected result: R2 scales with %t= and not with t=2

because each link can be activated independently. Fi-nally, in our model, the error rate is uncorrelated withthe other parameters and only due to the fidelity of theBell measurement; so

K2 = R2+1 # 2h!+", !B3"

with += 23 !1#F" because one of the “wrong” Bell states

nevertheless gives the correct bit correlations. In par-ticular, the fidelity of a Bell measurement must exceed83.5% to have K2-0.

Some plots of K1 and K2 as a function of the distanceare shown in Fig. 9. The chosen values are already opti-mistic extrapolations of what could be achieved in thenot too distant future. We notice that quantum repeatersovercome the direct link for !$500 km in fibers; with==0.5 and N=1000, this requires TM)10 s. Also, thenumber of modes supported by the memory is a morecritical parameter than the fidelity of the Bell measure-

74That is, photons may be lost but do not decohere in thememory. Note that this can be the case even if the atoms,which form the memory, do undergo some decoherence!Staudt et al., 2007".

75Recall that there is no time ordering in quantum correla-tions, so this procedure gives exactly the same statistics as the“usual” entanglement swapping, in which the Bell measure-ment is made beforehand.

76In fact, let x=1# !1#%t="N: the probability that Alice’s!Bob’s" detector is activated by the mth group of N pairsis p1!m"=x!1#x"m#1. Therefore, the probability that bothlinks are activated exactly by the nth repetition is p!n"=2p1!n"p1!#n"+p1!n"2=x!1#x"n#1+2# !2#x"!1#x"n#1, withp1!#n"=(m=1

n#1 p1!m". Finally, the number of repetitions neededto establish the link is /n$=(nnp!n"= !1/x"+!3#2x" / !2#x",.

0 100 200 300 400 500 600 70010

!5

100

105

1010

distance [km]

(b)

(a)

(c)

FIG. 9. Comparison of K1 !straight line" and K2. For all curves,>S=10 GHz, ==0.5, =M=0.9, pM=0.9, 6=0.2 dB/km !fibers",TM=10 s. Line !a", best case, N=1000, F=0.95; line !b", N=1000, fidelity reduced to F=0.9; line !c", supported modesreduced to N=100, F=0.95.



ment. This analysis provides a rough idea of the perfor-mances to be reached in order for quantum repeaters tobe useful.

For the next step, the four-link repeater, we contentourselves with a few remarks. The four-link repeater al-lows one in principle to reach the scaling R4A t1/4. Therequirements for a practical implementation, however,become more stringent: the four memories must be re-leased before TM; there are three Bell measurements, so+#11% requires F$95%; also, pM!)pMt1/4. Moreover,it is easy to realize that the basic scheme !Fig. 8" requiresheralded memories, although other schemes do not!Duan et al., 2001".

REFERENCES

Acín, A., N. Brunner, N. Gisin, S. Massar, S. Pironio, and V.Scarani, 2007, Phys. Rev. Lett. 98, 230501.

Acín, A., J. I. Cirac, and L. Masanes, 2004, Phys. Rev. Lett. 92,107903.

Acín, A., and N. Gisin, 2005, Phys. Rev. Lett. 94, 020501.Acín, A., N. Gisin, and L. Masanes, 2006, Phys. Rev. Lett. 97,

120405.Acín, A., N. Gisin, and V. Scarani, 2004, Phys. Rev. A 69,

012309.Adachi, Y., T. Yamamoto, M. Koashi, and N. Imoto, 2007,

Phys. Rev. Lett. 99, 180503.Agrawal, G. P., 1997, Fiber-Optic Communication Systems

!Wiley, New York".Ahlswede, R., and I. Csiszár, 1993, IEEE Trans. Inf. Theory

39, 1121.Alexander, A. L., J. J. Longdell, M. J. Sellars, and N. B. Man-

son, 2006, Phys. Rev. Lett. 96, 043602.Alléaume, R., J. Bouda, C. Branciard, T. Debuisschert, M. Di-

anati, N. Gisin, M. Godfrey, P. Grangier, T. Länger, A. Le-verrier, N. Lütkenhaus, P. Painchault, M. Peev, A. Poppe, T.Pornin, J. Rarity, R. Renner, G. Ribordy, M. Riguidel, L.Salvail, A. Shields, H. Weinfurter, and A. Zeilinger, 2007,e-print arXiv:quant-ph/0701168.

Alléaume, R., F. Roueff, E. Diamanti, and N. Lütkenhaus,2009, e-print arXiv:0903.0839.

Alléaume, R., F. Treussart, G. Messin, Y. Dumeige, J.-F. Roch,A. Beveratos, R. Brouri-Tualle, J.-P. Poizat, and P. Grangier,2004, New J. Phys. 6, 92.

Aspelmeyer, M., T. Jennewein, M. Pfennigbauer, W. Leeb, andA. Zeilinger, 2003, IEEE J. Sel. Top. Quantum Electron. 9,1541.

Bae, J., and A. Acín, 2007, Phys. Rev. A 75, 012334.Barnum, H., J. Barrett, M. Leifer, and A. Wilce, 2006, e-print

arXiv:quant-ph/0611295.Barrett, J., L. Hardy, and A. Kent, 2005, Phys. Rev. Lett. 95,

010503.Beaudry, N. J., T. Moroder, and N. Lütkenhaus, 2008a, Phys.

Rev. Lett. 101, 093601.Beaudry, N. J., T. Moroder, and N. Lütkenhaus, 2008b, unpub-

lished.Bechmann-Pasquinucci, H., 2006, Phys. Rev. A 73, 044305.Bechmann-Pasquinucci, H., and N. Gisin, 1999, Phys. Rev. A

59, 4238.Bechmann-Pasquinucci H., and A. Pasquinucci, 2005, e-print

arXiv:quant-ph/0505089.Bechmann-Pasquinucci, H., and A. Peres, 2000, Phys. Rev.

Lett. 85, 3313.Bechmann-Pasquinucci, H., and W. Tittel, 2000, Phys. Rev. A

61, 062308.Beige, A., B.-G. Englert, C. Kurtsiefer, and H. Weinfurter,

2002, Acta Phys. Pol. A 101, 357.Bennett, C. H., 1992, Phys. Rev. Lett. 68, 3121.Bennett, C. H., F. Bessette, L. Salvail, G. Brassard, and J. Smo-

lin, 1992, J. Cryptology 5, 3.Bennett, C. H. and G. Brassard, 1984, Proceedings IEEE In-

ternational Conference on Computers, Systems and SignalProcessing, Bangalore, India !IEEE, New York", p. 175.

Bennett, C. H., G. Brassard, S. Bredibart, and S. Wiesner,1984, IBM Tech. Discl. Bull. 26, 4363.

Bennett, C. H., G. Brassard, C. Crépeau, and U. Maurer, 1995,IEEE Trans. Inf. Theory 41, 1915.

Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, Phys.Rev. Lett. 68, 557.

Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, SIAM J.Comput. 17, 210.

Ben-Or, M., 2002, Security of BB84 QKD Protocol.Ben-Or, M., M. Horodecki, D. W. Leung, D. Mayers, and J.

Oppenheim, 2005, Theory of Cryptography: Second Theory ofCryptography Conference, TCC 2005, Lecture Notes in Com-puter Science Vol. 3378 !Springer Verlag, Berlin", p. 387.

Bethune, D., and W. Risk, 2000, IEEE J. Quantum Electron.36, 340.

Beveratos, A., R. Bruori, T. Gacoin, A. Villing, J. P. Poizat,and P. Grangier, 2002, Phys. Rev. Lett. 89, 187901.

Biham, E., M. Boyer, G. Brassard, J. van de Graaf, and T. Mor,2005, Algorithmica 34, 372.

Biham, E., and T. Mor, 1997, Phys. Rev. Lett. 78, 2256.Bloch, M., A. Thangaraj, S. W. McLaughlin, and J.-M. Merolla,

2005, e-print arXiv:cs.IT/0509041.Bloom, S., E. Korevaar, J. Schuster, and H. Willebrand, 2003,

J. Opt. Netw. 2, 178.Boileau, J. C., D. Gottesman, R. Laflamme, D. Poulin, and R.

W. Spekkens, 2004, Phys. Rev. Lett. 92, 017901.Boström, K., and T. Felbinger, 2002, Phys. Rev. Lett. 89,

187902.Boucher, W., and T. Debuisschert, 2005, Phys. Rev. A 72,

062325.Bourennane, M., M. Eibl, S. Gaertner, C. Kurtsiefer, A. Ca-

bello, and H. Weinfurter, 2004, Phys. Rev. Lett. 92, 107901.Brainis, E., L.-P. Lamoureux, N. J. Cerf, P. Emplit, M. Haelter-

man, and S. Massar, 2003, Phys. Rev. Lett. 90, 157902.Branciard, C., N. Gisin, B. Kraus, and V. Scarani, 2005, Phys.

Rev. A 72, 032301.Branciard, C., N. Gisin, N. Lütkenhaus, and V. Scarani, 2007,

Quantum Inf. Comput. 7, 639.Branciard, C., N. Gisin, and V. Scarani, 2008, New J. Phys. 10,

013031.Brassard, G., N. Lütkenhaus, T. Mor, and B. C. Sanders, 2000,

Phys. Rev. Lett. 85, 1330.Brassard, G., T. Mor, and B. C. Sanders, 2000, in Quantum

Communication, Computing and Measurement 2, edited by P.Kumar, G. M. D’Ariano, and O. Hirota !Kluwer Academic/Plenum, New York", pp. 381–386.

Brassard, G., and L. Salvail, 1994, Advances in Cryptology—EUROCRYPT ’93, Lecture Notes in Computer Science Vol.765 !Springer Verlag, Berlin", pp. 410–423.

Bréguet, J., A. Muller, and N. Gisin, 1994, J. Mod. Opt. 41,2405.

Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, Phys.



Rev. Lett. 82, 2594.Briegel, H.-J., W. Dür, J. I. Cirac, and P. Zoller, 1998, Phys.

Rev. Lett. 81, 5932.Bruß, D., 1998, Phys. Rev. Lett. 81, 3018.Bruß, D., M. Cinchetti, G. M. D’Ariano, and C. Macchiavello,

2000, Phys. Rev. A 62, 012302.Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.

G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, andC. M. Simmons, 1998, Phys. Rev. Lett. 81, 3283.

Camatel, S., and V. Ferrero, 2006, IEEE Photonics Technol.Lett. 18, 142.

Carter, J. L., and M. N. Wegman, 1979, J. Comput. Syst. Sci. 18,143.

Cerf, N. J., M. Bourennane, A. Karlsson, and N. Gisin, 2002,Phys. Rev. Lett. 88, 127902.

Cerf, N. J., A. Ipe, and X. Rottenberg, 2000, Phys. Rev. Lett.85, 1754.

Cerf, N. J., M. Lévy, and G. Van Assche, 2001, Phys. Rev. A63, 052311.

Chau, H. F., 2002, Phys. Rev. A 66, 060302!R".Chen, T.-Y., J. Zhang, J.-C. Boileau, X.-M. Jin, B. Yang, Q.

Zhang, T. Yang, R. Laflamme, and J.-W. Pan, 2006, Phys. Rev.Lett. 96, 150504.

Childress, L., J. M. Taylor, A. S. Sorensen, and M. D. Lukin,2006, Phys. Rev. Lett. 96, 070504.

Chou, C.-W., J. Laurat, H. Deng, K. S. Choi, H. de Riedmat-ten, D. Felinto, H. J. Kimble, 2007, Science 316, 1316.

Cleve, R., D. Gottesman, and H.-K. Lo, 1999, Phys. Rev. Lett.83, 648.

Collins D., N. Gisin, and H. de Riedmatten, 2005, J. Mod. Opt.52, 735.

Coppersmith, D., D. B. Johnson, and S. M. Matyas, 1996, IBMJ. Res. Dev. 40, 253.

Cova, S., M. Ghioni, A. Lotito, I. Rech, and F. Zappa, 2004, J.Mod. Opt. 51, 1267.

Crépeau, C., D. Gottesman, and A. Smith, 2005, Advances inCryptology—EUROCRYPT 2005, Lecture Notes in Com-puter Science Vol. 3494 !Springer Verlag, Berlin", pp. 285–301.

Csiszár, I., and J. Körner, 1978, IEEE Trans. Inf. Theory 24,339.

Curty, M., M. Lewenstein, and N. Lütkenhaus, 2004, Phys.Rev. Lett. 92, 217903.

Curty, M., and N. Lütkenhaus, 2004, Phys. Rev. A 69, 042321.Curty, M., and N. Lütkenhaus, 2005, Phys. Rev. A 71, 062301.Curty, M., K. Tamaki, and T. Moroder, 2008, Phys. Rev. A 77,

052321.Curty, M., L. Zhang, H.-K. Lo, and N. Lütkenhaus, 2007,

Quantum Inf. Comput. 7, 665.Daemen, J., and V. Rijmen, 2001, Dr. Dobb’s J. 26, 137.Damgaard, I. B., S. Fehr, R. Renner, L. Salvail, and C.

Schaffner, 2007, CRYPTO 2007, Lecture Notes in ComputerScience Vol. 4622 !Springer Verlag, Berlin".

Damgaard, I. B., S. Fehr, L. Salvail, and C. Schaffner, 2005,Proceedings of the 46th IEEE Symposium on Foundations ofComputer Science—FOCS 2005 !unpublished", p. 449

De Riedmatten, H., I. Marcikic, V. Scarani, W. Tittel, H. Zbin-den, and N. Gisin, 2004, Phys. Rev. A 69, 050304!R".

De Riedmatten, H., V. Scarani, I. Marcikic, A. Acín, W. Tittel,H. Zbinden, and N. Gisin, 2004, J. Mod. Opt. 51, 1637.

Deutsch, D., A. K. Ekert, R. Jozsa, C. Macchiavello, S. Pope-scu, and A. Sanpera, 1996, Phys. Rev. Lett. 77, 2818.

Devetak, I., and A. Winter, 2005, Proc. R. Soc. London, Ser. A

461, 207.Diamanti, E., H. Takesue, T. Honjo, K. Inoue, and Y. Yama-

moto, 2005, Phys. Rev. A 72, 052311.Diamanti, E., H. Takesue, C. Langrock, M. M. Fejer, and Y.

Yamamoto, 2006, Opt. Express 14, 13073.Dianati, M., and R. Alléaume, 2006, e-print arXiv:quant-ph/

0610202.Dianati, M., R. Alléaume, M. Gagnaire, and X. Shen, 2008,

Secur. Commun. Netw. 1, 57.Diffie, W., and M. E. Hellman, 1976, IEEE Trans. Inf. Theory

IT-22, 644.Duan, L. M., M. D. Lukin, J. I. Cirac, and P. Zoller, 2001,

Nature !London" 414, 413.Dür, W., H.-J. Briegel, J. I. Cirac, and P. Zoller, 1999, Phys.

Rev. A 59, 169.Durkin, G. A., C. Simon, and D. Bouwmeester, 2002, Phys.

Rev. Lett. 88, 187902.Du!ek, M., O. Haderka, and M. Hendrych, 1999, Opt. Com-

mun. 169, 103.Du!ek, M., M. Jahma, and N. Lütkenhaus, 2000, Phys. Rev. A

62, 022306.Du!ek, M., N. Lütkenhaus, and M. Hendrych, 2006, in

Progress in Optics, edited by E. Wolf !Elsevier, New York",Vol. 49, p. 381.

Eisenberg, H. S., G. Khoury, G. A. Durkin, C. Simon, and D.Bouwmeester, 2004, Phys. Rev. Lett. 93, 193901.

Ekert, A. K., 1991, Phys. Rev. Lett. 67, 661.Ekert, A. K., N. Gisin, B. Huttner, H. Inamori, and H. Wein-

furter, 2001, in The Physics of Quantum Information, editedby D. Bouwmeester, A. K. Ekert, and A. Zeilinger !SpringerVerlag, London".

Elliott, C., 2002, New J. Phys. 4, 46.Elliott, C., A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and

H. Yeh, 2005, e-print arXiv:quant-ph/0503058.Englert, B.-G., D. Kaszlikowski, H. K. Ng, W. K. Chua, J. Re-

hácek, and J., Anders, 2004, e-print arXiv:quant-ph/0412075.Erven, C., C. Couteau, R. Laflamme, and G. Weihs, 2008,

e-print arXiv:0807.2289.Fasel, S., N. Gisin, G. Ribordy, and H. Zbinden, 2004, Eur.

Phys. J. D 30, 143.Franson, J. D., and H. Ilves, 1994, J. Mod. Opt. 41, 2391.Fuchs, C. A., N. Gisin, R. B. Griffiths, C.-S. Niu, and A. Peres,

1997, Phys. Rev. A 56, 1163.Fung, C.-H. F., B. Qi, K. Tamaki, and H.-K. Lo, 2007, Phys.

Rev. A 75, 032314.Fung, C.-H. F., K. Tamaki, and H.-K. Lo, 2006, Phys. Rev. A

73, 012337.Galtarossa, A., and C. R. Menyuk, 2005, Polarization Mode

Dispersion !Springer, Berlin".García-Patrón, R., 2007, Ph.D. thesis !Université Libre de

Bruxelles".García-Patrón, R., and N. J. Cerf, 2006, Phys. Rev. Lett. 97,

190503.Gisin, N., S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy,

2006, Phys. Rev. A 73, 022320.Gisin, N., and J. P. Pellaux, 1992, Opt. Commun. 89, 316.Gisin, N., G. Ribordy, W. Tittel, and H. Zbinden, 2002, Rev.

Mod. Phys. 74, 145.Gisin, N., G. Ribordy, H. Zbinden, D. Stucki, N. Brunner, and

V. Scarani, 2004, e-print arXiv:quant-ph/0411022.Gisin, N., and S. Wolf, 1999, Phys. Rev. Lett. 83, 4200.Gisin, N., and S. Wolf, 2000, Proceedings of CRYPTO 2000,

Lecture Notes in Computer Science Vol. 1880 !Springer Ver-



lag, Berlin", p. 482.Gobby, C., Z. L. Yuan, and A. J. Shields, 2004, Appl. Phys.

Lett. 84, 3762.Goldenberg, L., and L. Vaidman, 1995, Phys. Rev. Lett. 75,

1239.Goldenberg, L., and L. Vaidman, 1996, Phys. Rev. Lett. 77,

3265.Gomez-Sousa, H., and M. Curty, 2009, Quant. Inf. Comput. 9,

62.Gottesman, D., and H.-K. Lo, 2003, IEEE Trans. Inf. Theory

49, 457.Gottesman, D., H.-K. Lo, N. Lütkenhaus, and J. Preskill, 2004,

Quantum Inf. Comput. 4, 325.Gottesman, D., and J. Preskill, 2001, Phys. Rev. A 63, 022309.Griffiths, R. B., and C.-S. Niu, 1997, Phys. Rev. A 56, 1173.Grosshans, F., 2005, Phys. Rev. Lett. 94, 020504.Grosshans, F., and N. J. Cerf, 2004, Phys. Rev. Lett. 92, 047905.Grosshans, F., N. J. Cerf, J. Wenger, R. Tualle-Brouri, and P.

Grangier, 2003, Quantum Inf. Comput. 3, 535.Grosshans, F., and P. Grangier, 2002a, Phys. Rev. Lett. 88,

057902.Grosshans, F., and P. Grangier, 2002b, Proceedings of the Sixth

International Conference on Quantum Communications, Mea-surement, and Computing (QCMC’02) !Rinton Press, Prince-ton, NJ".

Grosshans, F., G. Van Assche, J. Wenger, R. Tualle-Brouri, N.J. Cerf, and P. Grangier, 2003, Nature !London" 421, 238.

Grover, L. K., 1996, Proceedings of the 28th Annual ACMSymposium on the Theory of Computing, STOC’96 !ACM,New York", p. 212.

Grover, L. K., 1997, Phys. Rev. Lett. 79, 325.Hadfield, R. H., J. L. Habif, J. Schlafer, R. E. Schwall, and S.

W. Nam, 2006, Appl. Phys. Lett. 89, 241129.Halder, M., A. Beveratos, N. Gisin, V. Scarani, C. Simon, and

H. Zbinden, 2007, Nat. Phys. 3, 692.Hasegawa, J., M. Hayashi, T. Hiroshima, A. Tanaka, and A.

Tomita, 2007, e-print arXiv:0705.3081.Häseler, H., T. Moroder, and N. Lütkenhaus, 2008, Phys. Rev.

A 77, 032303.Hayashi, M., 2006, Phys. Rev. A 74, 022307.Hayashi, M., 2007a, Phys. Rev. A 76, 012329.Hayashi, M., 2007b, New J. Phys. 9, 284.Heid, M., and N. Lütkenhaus, 2006, Phys. Rev. A 73, 052316.Heid, M., and N. Lütkenhaus, 2007, Phys. Rev. A 76, 022313.Helstrom, C. W., 1976, Quantum Detection and Estimation

Theory !Academic, New York".Herbauts, I. M., S. Bettelli, H. Hübel, and M. Peev, 2008, Eur.

Phys. J. D 46, 395.Hillery, M., 2000, Phys. Rev. A 61, 022309.Hillery, M., V. Bu"ek, and A. Berthiaume, 1999, Phys. Rev. A

59, 1829.Hiskett, P. A., D. Rosenberg, C. G. Peterson, R. J. Hughes, S.

W. Nam, A. E. Lita, A. J. Miller, and J. E. Nordholt, 2006,New J. Phys. 8, 193.

Holevo, A. S., 1973, Probl. Inf. Transm. 9, 177.Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J.

Oppenheim, 2008a, IEEE Trans. Inf. Theory 54, 2604.Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J.

Oppenheim, 2008b, Phys. Rev. Lett. 100, 110502.Horodecki, K., M. Horodecki, P. Horodecki, and J. Oppen-

heim, 2005, Phys. Rev. Lett. 94, 160502.Hübel, H., M. R. Vanner, T. Lederer, B. Blauensteiner, T.

Lorünser, A. Poppe, and A. Zeilinger, 2007, Opt. Express 15,

7853.Hughes, R. J., J. E. Nordholt, D. Derkacs, and C. G. Peterson,

2002, New J. Phys. 4, 43.Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, Phys. Rev.

A 51, 1863.Hwang, W.-Y., 2003, Phys. Rev. Lett. 91, 057901.Inamori, H., N. Lütkenhaus, and D. Mayers, 2007, Eur. Phys. J.

D 41, 599.Inoue, K., and T. Honjo, 2005, Phys. Rev. A 71, 042305.Inoue, K., E. Waks, and Y. Yamamoto, 2002, Phys. Rev. Lett.

89, 037902.Inoue, K., E. Waks, and Y. Yamamoto, 2003, Phys. Rev. A 68,

022317.Intallura, P. M., M. B. Ward, O. Z. Karimov, Z. L. Yuan, P. See,

A. J. Shields, P. Atkinson, and D. A. Ritchie, 2007, Appl.Phys. Lett. 91, 161103.

Jacobs, B. C., T. B. Pittman, and J. D. Franson, 2002, Phys.Rev. A 66, 052307.

Jennewein, T., C. Simon, G. Weihs, H. Weinfurter, and A.Zeilinger, 2000, Phys. Rev. Lett. 84, 4729.

Julsgaard, B., J. Sherson, J. I. Cirac, J. Fiurasek, and E. S.Polzik, 2004, Nature !London" 432, 482.

Karlsson, A., M. Koashi, and N. Imoto, 1999, Phys. Rev. A 59,162.

Kim, I. I., and E. Korevaar, 2001,http://www.freespaceoptic.com/WhitePapers/SPIE2001b.pdf.

Kim, J., S. Takeuchi, Y. Yamamoto, and H. Hogue, 1999, Appl.Phys. Lett. 74, 902.

Koashi, M., 2004, Phys. Rev. Lett. 93, 120501.Koashi, M., 2005, e-print arXiv:quant-ph/0507154.Koashi, M., 2006a, J. Phys.: Conf. Ser. 36, 98.Koashi, M., 2006b, e-print arXiv:quant-ph/0609180.Koashi, M., 2007, e-print arXiv:0704.3661.Koashi, M., Y. Adachi, T. Yamamoto, and N. Imoto, 2008,

e-print arXiv:0804.0891.Koashi, M., and N. Imoto, 1997, Phys. Rev. Lett. 79, 2383.Koashi, M., and J. Preskill, 2003, Phys. Rev. Lett. 90, 057902.König, R., and R. Renner, 2007, e-print arXiv:0712.4291.König, R., R. Renner, A. Bariska, and U. Maurer, 2007, Phys.

Rev. Lett. 98, 140502.König, R., and B. Terhal, 2008, IEEE Trans. Inf. Theory 54,

749.Kraus, B., C. Branciard, and R. Renner, 2007, Phys. Rev. A 75,

012316.Kraus, B., N. Gisin, and R. Renner, 2005, Phys. Rev. Lett. 95,

080501.Kurtsiefer, C., P. Zarda, M. Halder, H. Weinfurter, P. M. Gor-

man, P. R. Tapster, and J. G. Rarity, 2002, Nature !London"419, 450.

Kurtsiefer, C., P. Zarda, S. Mayer, and H. Weinfurter, 2001, J.Mod. Opt. 48, 2039.

Kwiat, P. G., K. Mattle, H. Weinfurter, A. Zeilinger, A. V.Sergienko, and Y. Shih, 1995, Phys. Rev. Lett. 75, 4337.

Kwiat, P. G., E. Waks, A. G. White, I. Appelbaum, and P. H.Eberhard, 1999, Phys. Rev. A 60, R773.

Lamas-Linares, A., and C. Kurtsiefer, 2007, Opt. Express 15,9388.

Lance, A. M., T. Symul, V. Sharma, C. Weedbrook, T. C.Ralph, and P. K. Lam, 2005, Phys. Rev. Lett. 95, 180503.

Laurent, S., S. Varoutsis, L. Le Gratiet, A. Lemaître, I. Sagnes,F. Raineri, J. A. Levenson, I. Robert-Philip, and I. Abram,2005, Appl. Phys. Lett. 87, 163107.

Le Bellac, M., 2006, A Short Introduction to Quantum Infor-



mation and Quantum Computation !Cambridge UniversityPress, Cambridge".

Legré, M., H. Zbinden, and N. Gisin, 2006, Quantum Inf.Comput. 6, 326.

Leverrier, A., R. Alléaume, J. Boutros, G. Zémor, and P.Grangier, 2008, Phys. Rev. A 77, 042325.

Leverrier, A., E. Karpov, P. Grangier, and N. J. Cerf, 2008,e-print arXiv:0809.2252.

Li, Y., H. Mikami, H. Wang, and T. Kobayashi, 2005, Phys.Rev. A 72, 063801.

Ling, A., M. P. Peloso, I. Marcikic, V. Scarani, A. Lamas-Linares, and C. Kurtsiefer, 2008, Phys. Rev. A 78, 020301!R".

Lo, H.-K., 1997, Phys. Rev. A 56, 1154.Lo, H.-K., 1998, in Introduction to Quantum Computation and

Information, edited by H.-K. Lo, S. Popescu, and T. Spiller!World Scientific, Singapore".

Lo, H.-K., 2001, Quantum Inf. Comput. 1, 81.Lo, H.-K., 2003, New J. Phys. 5, 36.Lo, H.-K., 2005, Quantum Inf. Comput. 5, 413.Lo, H.-K., and H. F. Chau, 1997, Phys. Rev. Lett. 78, 3410.Lo, H.-K., and H. F. Chau, 1999, Science 283, 2050.Lo, H.-K., H. F. Chau, and M. Ardehali, 2005, J. Cryptology

18, 133.Lo, H.-K., X. Ma, and K. Chen, 2005, Phys. Rev. Lett. 94,

230504.Lo, H.-K., and J. Preskill, 2007, Quantum Inf. Comput. 8, 431.Lo, H.-K., and Y. Zhao, 2008, e-print arXiv:0803.2507.Lodewyck, J., M. Bloch, R. Garcia-Patron, S. Fossier, E. Kar-

pov, E. Diamanti, T. Debuisschert, N. J. Cerf, R. Tualle-Brouri, S. W. McLaughlin, and P. Grangier, 2007, Phys. Rev.A 76, 042305.

Lodewyck, J., T. Debuisschert, R. García-Patrón, R. Tualle-Brouri, N. J. Cerf, and P. Grangier, 2007, Phys. Rev. Lett. 98,030503.

Lodewyck, J., T. Debuisschert, R. Tualle-Brouri, and P.Grangier, 2005, Phys. Rev. A 72, 050303!R".

Lodewyck, J., and P. Grangier, 2007, Phys. Rev. A 76, 022332.Lorenz, S., N. Korolkova, and G. Leuchs, 2004, Appl. Phys. B:

Lasers Opt. 79, 273.Lorenz, S., J. Rigas, M. Heid, U. L. Andersen, N. Lütkenhaus,

and G. Leuchs, 2006, Phys. Rev. A 74, 042326.Lounis, B., and M. Orrit, 2005, Rep. Prog. Phys. 68, 1129.Lütkenhaus, N., 1996, Phys. Rev. A 54, 97.Lütkenhaus, N., 1999, Phys. Rev. A 59, 3301.Lütkenhaus, N., 2000, Phys. Rev. A 61, 052304.Lütkenhaus, N., and M. Jahma, 2002, New J. Phys. 4, 44.Ma, X., C.-H. F. Fung, F. Dupuis, K. Chen, K. Tamaki, and

H.-K. Lo, 2006, Phys. Rev. A 74, 032330.Ma, X., C.-H. F. Fung, and H.-K. Lo, 2007, Phys. Rev. A 76,

012307.Mair, A., A. Vaziri, G. Weihs, and A. Zeilinger, 2001, Nature

!London" 412, 3123.Makarov, V., A. Anisimov, and J. Skaar, 2006, Phys. Rev. A 74,

022313.Makarov, V., and D. R. Hjelme, 2005, J. Mod. Opt. 52, 691.Makarov, V., and J. Skaar, 2008, Quantum Inf. Comput. 8, 622.Mandel, L., and E. Wolf, 1995, Optical Coherence and Quan-

tum Optics !Cambridge University Press, Cambridge".Marcikic, I., A. Lamas-Linares, and C. Kurtsiefer, 2006, Appl.

Phys. Lett. 89, 101122.Masanes, L., 2009, Phys. Rev. Lett. 102, 140501.Masanes, L., A. Acín, and N. Gisin, 2006, Phys. Rev. A 73,

012112.

Mauerer, W., and C. Silberhorn, 2007, Phys. Rev. A 75,050305!R".

Maurer, U. M., 1993, IEEE Trans. Inf. Theory 39, 733.Maurer, U. M., and S. Wolf, 1999, SIAM J. Comput. 28, 1689.Maurer, U. M., and S. Wolf, 2000, Designs, Codes, Cryptogr.

19, 147.Mayers, D., 1996, Advances in Cryptology: Proceedings of

Crypto ’96 !Springer Verlag, Berlin", p. 343.Mayers, D., 1997, Phys. Rev. Lett. 78, 3414.Mayers, D., 2001, J. ACM 48, 351.Mérolla, J.-M., Y. Mazurenko, J.-P. Goedgebuer, and W. T.

Rhodes, 1999, Phys. Rev. Lett. 82, 1656.Meyer, T., H. Kampermann, M. Kleinmann, and D. Bruß,

2006, Phys. Rev. A 74, 042340.Miller, A. J., S. W. Nam, J. M. Martinis, and A. V. Sergienko,

2003, Appl. Phys. Lett. 83, 791.Mølmer, K., 1997, Phys. Rev. A 55, 3195.Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and

N. Gisin, 1997, Appl. Phys. Lett. 70, 793.Muller, A., H. Zbinden, and N. Gisin, 1995, Nature !London"

378, 449.Naik, D. S., C. G. Peterson, A. G. White, A. J. Berglund, and

P. G. Kwiat, 2000, Phys. Rev. Lett. 84, 4733.Navascués, M., and A. Acín, 2005, Phys. Rev. Lett. 94, 020505.Navascués, M., F. Grosshans, and A. Acín, 2006, Phys. Rev.

Lett. 97, 190502.Nguyen, K.-C., G. Van Assche, and N. J. Cerf, 2004, Proceed-

ings of International Symposium on Information Theory andits Applications !ISITA", Parma, 2004 !unpublished".

Niederberger, A., V. Scarani, and N. Gisin, 2005, Phys. Rev. A71, 042316.

Ou, Z. Y., J.-K. Rhee, and L. J. Wang, 1999, Phys. Rev. A 60,593.

Peng, C.-Z., J. Zhang, D. Yang, W.-B. Gao, H.-X. Ma, H. Yin,H.-P. Zeng, T. Yang, X.-B. Wand, and J.-W. Pan, 2007, Phys.Rev. Lett. 98, 010505.

Peres, A., 1996, Phys. Rev. Lett. 77, 3264.Pirandola, S., S. L. Braunstein, and S. Lloyd,, 2008, Phys. Rev.

Lett. 101, 200504.Qi, B., C. H. F. Fung, H.-K. Lo, and X. Ma, 2007, Quantum Inf.

Comput. 7, 73.Qi, B., L.-L. Huang, L. Qian, and H.-K. Lo, 2007, Phys. Rev. A

76, 052323.Qi, B., Y. Zhao, X. Ma, H.-K. Lo, and L. Qian, 2007, Phys.

Rev. A 75, 052304.Ralph, T. C., 1999, Phys. Rev. A 61, 010303!R".Rarity, J. G., P. M. Gorman, and P. R. Tapster, 2001, Electron.

Lett. 37, 512.Rarity, J. G., P. R. Tapster, P. M. Gorman, and P. Knight, 2002,

New J. Phys. 4, 82.Reid, M. D., 2000, Phys. Rev. A 62, 062308.Renner, R., 2005, Ph.D. thesis, ETH Zürich.Renner, R., 2007, Nat. Phys. 3, 645.Renner, R., and J. I. Cirac, 2009, Phys. Rev. Lett. 102, 110504.Renner, R., N. Gisin, and B. Kraus, 2005, Phys. Rev. A 72,

012332.Renner, R., and R. König, 2005, Theory of Cryptography: Sec-

ond Theory of Cryptography Conference, TCC 2005, LectureNotes in Computer Science Vol. 3378 !Springer, Berlin", p.407.

Renner, R., and S. Wolf, 2005, Advances in Cryptology:CRYPTO 2003, Lecture Notes in Computer Science Vol.2729 !Springer, Berlin", p. 78.



Ribordy, G., J. D. Gautier, N. Gisin, O. Guinnard, and H.Zbinden, 1998, Electron. Lett. 34, 2116.

Ribordy, G., N. Gisin, O. Guinnard, D. Stucki, M. Wegmüller,and H. Zbinden, 2004, J. Mod. Opt. 51, 1381.

Rigas, J., O. Gühne, and N. Lütkenhaus, 2006, Phys. Rev. A73, 012341.

Rijmen, V., 2007, private communication.Rosenberg, D., J. W. Harrington, P. R. Rice, P. A. Hiskett, C.

G. Peterson, R. J. Hughes, A. E. Lita, S. W. Nam, and J. E.Nordholt, 2007, Phys. Rev. Lett. 98, 010503.

Rosenberg, D., A. E. Lita, A. J. Miller, and S. W. Nam, 2005,Phys. Rev. A 71, 061803!R".

Rosenberg, D., C. G. Peterson, J. W. Harrington, P. R. Rice, N.Dallmann, K. T. Tyagi, K. P. McCabe, S. W. Nam, B. Baek, R.H. Hadfield, R. J. Hughes, and J. E. Nordholt, 2009, New J.Phys. 11, 045009.

Saint-Girons, G., N. Chauvin, A. Michon, G. Patriarche, G.Beaudoin, B. Bremond, C. Bru-Chevalier, and I. Sagnes,2006, Appl. Phys. Lett. 88, 133101.

Sangouard, N., C. Simon, J. Minar, H. Zbinden, H. De Ried-matten, and N. Gisin, 2007, Phys. Rev. A 76, 050301!R".

Scarani, V., 2006, Quantum Physics—A First Encounter !Ox-ford University Press, Oxford".

Scarani, V., A. Acín, G. Ribordy, and N. Gisin, 2004, Phys.Rev. Lett. 92, 057901.

Scarani, V., H. De Riedmatten, I. Marcikic, H. Zbinden, andN. Gisin, 2005, Eur. Phys. J. D 32, 129.

Scarani, V., N. Gisin, N. Brunner, L. Masanes, S. Pino, and A.Acín, 2006, Phys. Rev. A 74, 042339.

Scarani, V., and R. Renner, 2008, Phys. Rev. Lett. 100, 200501.Shannon, C. E., 1949, Bell Syst. Tech. J. 28, 656.Shields, A. J., 2007, Nat. Photonics 1, 215.Shor, P. W., 1994, Proceedings of the 35th Annual Symposium

on the Foundations of Computer Science, Santa Fe !IEEEComputer Society, Los Alamitos", p. 124.

Shor, P. W., 1997, SIAM Sci. Stat. Comput. 26, 1484.Shor, P. W., and J. Preskill, 2000, Phys. Rev. Lett. 85, 441.Silberhorn, C., T. C. Ralph, N. Lütkenhaus, and G. Leuchs,

2002, Phys. Rev. Lett. 89, 167901.Simon, C., H. De Riedmatten, M. Afzelius, N. Sangouard, H.

Zbinden, and N. Gisin, 2007, Phys. Rev. Lett. 98, 190503.Slutsky, B. A., R. Rao, P.-C. Sun, and Y. Fainman, 1998, Phys.

Rev. A 57, 2383.Smith, G., J. M. Renes, and J. A. Smolin, 2008, Phys. Rev. Lett.

100, 170502.Staudt, M. U., S. R. Hastings-Simon, M. Nilsson, M. Afzelius,

V. Scarani, R. Ricken, H. Suche, W. Sohler, W. Tittel, and N.Gisin, 2007, Phys. Rev. Lett. 98, 113601.

Stinson, D. R., 1995, Cryptography, Theory and Practice !CRC,Boca Raton".

Stucki, D., C. Barreiro, S. Fasel, J.-D. Gautier, O. Gay, N.Gisin, R. Thew, Y. Thoma, P. Trinkler, F. Vannel, and H.Zbinden, 2008, e-print arXiv:0809.5264.

Stucki, D., N. Brunner, N. Gisin, V. Scarani, and H. Zbinden,2005, Appl. Phys. Lett. 87, 194108.

Sudjana, J., L. Magnin, R. Garcia-Patron, and N. J. Cerf, 2007,Phys. Rev. A 76, 052301.

Takesue, H., E. Diamanti, T. Honjo, C. Langrock, M. M. Fejer,K. Inoue, and Y. Yamamoto, 2005, New J. Phys. 7, 232.

Takesue, H., S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo,K. Tamaki, and Y. Yamamoto, 2007, Nat. Photonics 1, 343.

Tamaki, K., M. Koashi, and N. Imoto, 2003, Phys. Rev. Lett.90, 167904.

Tamaki, K., and H.-K. Lo, 2006, Phys. Rev. A 73, 010302!R".Tamaki, K., and N. Lütkenhaus, 2004, Phys. Rev. A 69, 032316.Tamaki, K., N. Lütkenhaus, M. Koashi, and J. Batuwan-

tudawe, 2006, e-print arXiv:quant-ph/0607082.Tanaka, A., M. Fujiwara, S. W. Nam, Y. Nambu, S. Takahashi,

W. Maeda, K. Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima,M. Sasaki, and A. Tomita, 2008, e-print arXiv:0805.2193.

Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Baldi,M. De Micheli, D. B. Ostrowsky, and N. Gisin, 2001, Elec-tron. Lett. 37, 26.

Tapster, P. R., and J. G. Rarity, 1998, J. Mod. Opt. 45, 595.Thew, R., A. Acín, H. Zbinden, and N. Gisin, 2004, Quantum

Inf. Comput. 4, 93.Thew, R., S. Tanzilli, L. Krainer, S. C. Zeller, A. Rochas, I.

Rech, S. Cova, H. Zbinden, and N. Gisin, 2006, New J. Phys.8, 32.

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, Phys.Rev. Lett. 84, 4737.

Townsend, P. D., S. J. D. Phoenix, K. J. Blow, and S. M. Bar-nett, 1994, Electron. Lett. 30, 1875.

Townsend, P. D., J. G. Rarity, and P. R. Tapster, 1993, Elec-tron. Lett. 29, 1291.

Trifonov, A., D. Subacius, A. Berzanskis, and A. Zavriyev,2004, J. Mod. Opt. 51, 1399.

Tsujino, K., H. F. Hofmann, S. Takeuchi, and K. Sasaki, 2004,Phys. Rev. Lett. 92, 153602.

Tsurumaru, T., 2007, Phys. Rev. A 75, 062319.Tsurumaru, T., A. Soujaeff, and S. Takeuchi, 2008, Phys. Rev.

A 77, 022319.Tsurumaru, T., and K. Tamaki, 2008, Phys. Rev. A 78, 032302.Ursin, R., F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier,

T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jennewein, J.Perdigues, P. Trojek, B. Oemer, M. Fuerst, M. Meyenburg, J.Rarity, Z. Sodnik, C. Barbieri, H. Weinfurter, and A.Zeilinger, 2007, Nat. Phys. 3, 481.

Vakhitov, A., V. Makarov, and D. R. Hjelme, 2001, J. Mod.Opt. 48, 2023.

Van Assche, G., 2006, Quantum Cryptography and Secret-KeyDistillation !Cambridge University Press, Cambridge".

Van Assche, G., J. Cardinal, and N. J. Cerf, 2004, IEEE Trans.Inf. Theory 50, 394.

van Enk, S. J., and C. A. Fuchs, 2002, Quantum Inf. Comput.2, 151.

Verevkin, A., A. Pearlmany, W. Slyszyz, J. Zhangy, M. Currie,A. Korneev, G. Chulkova, O. Okunev, P. Kouminov, K.Smirnov, B. Voronov, G. N. Goltsman, and R. Sobolewskiy,2004, J. Mod. Opt. 51, 1447.

Verevkin, A., J. Zhang, R. Sobolewski, A. Lipatov, O.Okunev, G. Chulkova, A. Korneev, K. Smirnov, G. N. Golts-man, and A. Semenov, 2002, Appl. Phys. Lett. 80, 4687.

Vernam, G. S., 1926, J. Am. Inst. Elec. Eng. 55, 109.Waks, E., E. Diamanti, and Y. Yamamoto, 2006, New J. Phys.

8, 4.Waks, E., K. Inoue, W. D. Oliver, E. Diamanti, and Y. Yama-

moto, 2003, IEEE J. Sel. Top. Quantum Electron. 9, 1502.Waks, E., K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G. So-

lomon, and Y. Yamamoto, 2002, Nature !London" 420, 762.Waks, E., C. Santori, and Y. Yamamoto, 2002, Phys. Rev. A 66,

042315.Waks, E., H. Takesue, and Y. Yamamoto, 2006, Phys. Rev. A

73, 012344.Waks, E., A. Zeevi, and Y. Yamamoto, 2002, Phys. Rev. A 65,

052310.



Wang, X.-B., 2001, e-print arXiv:quant-ph/0110089.Wang, X.-B., 2005, Phys. Rev. Lett. 94, 230503.Ward, M. B., O. Z. Karimov, D. C. Unitt, Z. L. Yuan, P. See,

D. G. Gevaux, A. J. Shields, P. Atkinson, and D. A. Ritchie,2005, Appl. Phys. Lett. 86, 201111.

Watanabe, S., R. Matsumoto, and T. Uyematsu, 2004, e-printarXiv:quant-ph/0412070.

Weedbrook, C., A. M. Lance, W. P. Bowen, T. Symul, T. C.Ralph, and P. K. Lam, 2004, Phys. Rev. Lett. 93, 170504.

Wegman, M. N., and J. L. Carter, 1981, J. Comput. Syst. Sci.22, 265.

Wehner, S., C. Schaffner, and B. Terhal, 2008, Phys. Rev. Lett.100, 220502.

Wiesner, S., 1983, SIGACT News 15, 78.Wootters, W. K., and W. H. Zurek, 1982, Nature !London" 299,

802.Wyner, A. D., 1975, Bell Syst. Tech. J. 54, 1355.Young, R. J., R. M. Stevenson, P. Atkinson, K. Cooper, D. A.

Ritchie, and A. J. Shields, 2006, New J. Phys. 8, 29.Yuan, Z. L., A. R. Dixon, J. F. Dynes, A. W. Sharpe, and A. J.

Shields, 2008, Appl. Phys. Lett. 92, 201104.Yuan, Z. L., B. E. Kardynal, A. W. Sharpe, and A. J. Shields,

2007, Appl. Phys. Lett. 91, 011114.Yuan, Z. L., A. W. Sharpe, and A. J. Shields, 2007, Appl. Phys.

Lett. 90, 011118.Yuan, Z. L., and A. J. Shields, 2005, Opt. Express 13, 660.Zanardi, P., and M. Rasetti, 1997, Phys. Rev. Lett. 79, 3306.Zhao, Y., C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, 2008,

Phys. Rev. A 78, 042333.Zhao, Y., B. Qi, and H.-K. Lo, 2007, Appl. Phys. Lett. 90,

044106.Zhao, Y., B. Qi, and H.-K. Lo, 2008, Phys. Rev. A 77, 052327.Zhao, Y., B. Qi, X. Ma, H.-K. Lo, and L. Qian, 2006, Phys.

Rev. Lett. 96, 070502.Zhou, C., G. Wu, X. Chen, and H. Zeng, 2003, Appl. Phys.

Lett. 83, 1692.Zinoni, C., B. Alloing, C. Monat, V. Zwiller, L. H. Li, A. Fiore,

L. Lunghi, A. Gerardino, H. de Riedmatten, H. Zbinden, andN. Gisin, 2006, Appl. Phys. Lett. 88, 131102.



Documents

The security of practical quantum key distributionquic.ulb.ac.be/_media/publications/2009-RMP-81-001301.pdf · quantum channel, allowing them to share quantum sig-nals, and a classical